I’m almost done with my deeper review of the firewall, but discovered something ugly in the process of podcasting and firewall testing.
If you enable the firewall in the “Set access for specific services and applications” mode, Leopard digitally signs applications on launch that aren’t already signed via Apple’s mechanism.
If that application happens to change during runtime, as Skype seems to, the signature no longer matches and the application won’t run. There are no dialogs or warnings- the icon just dances on the dock for a few bounces then disappears.
I went to podcast last night and had this happen. Reinstalling it fixed the problem, but then it hit again today. I looked in my console and saw the following:
Nov 1 16:09:34 CrashBook [0x0-0x27027].com.skype.skype[387]: Check 1 failed. Can’t run Skype
Googling that error returns some threads in Skype forums that indicate this is a known issue related to the firewall and code signing.
A reinstall fixes it, but this is, obviously, a bit of a problem.
I’m somewhat surprised this hasn’t made the rounds yet.
Reader interactions
16 Replies to “Leopard Firewall + Code Signing Breaks Skype (And Other Applications)”
[…] because the application’s checksum would no longer match the checksum in the signature.) If the application changes itself while running, as Skype does (and as some other applications do too), it won’t match the signature the next […]
[…] because the application’s checksum would no longer match the checksum in the signature.) If the application changes itself while running, as Skype does (and as some other applications do too), it won’t match the signature the next […]
[…] startet unter Mac OS X «Leopard» nur einmal, wenn man die «Leopard»-Firewall mit der Konfiguration «Zugriff auf bestimmte Dienste und Programme» festlegen…. Das Problem besteht im Grundsatz darin, dass die «Leopard»-Firewall feststellt, dass sich die […]
I posted an entry on my blog regarding this issue yesterday. Apparently, this Leopard firewall also breaks World of Warcraft and prevents it from running properly.
Skype obviously has several anti-reversing mechanisms within it, primarily code packing.
I wouldn”t have thought a packer would break the signing mechanism though, unless it’s modifying the file on disk (i dont know why it would?) The other reason, and slghtly more interesting explaination might be that apple is validating the application’s signature in memory? This might also stop some code injection tricks that the matasano boys were talking about.
I”ve had this problem with either and upgrade or a clean install.
It’s only if you use the firewall in application control mode when Skype is launched. Allow all or block all don”t have the same effect.
It seems that not all Skype users face the above-described problem, probably depending on the firewall configuration or the way they installed/updated to Mac OS X 10.5. In addition, Skype doesn”t seem to be that important for Mac users …
Funny how it hasn”t spread more, I”ll be shocked if a lot of people haven”t been dealing with this for a while.
It has already made rounds, at least in German Mac forums, German blogs (e.g. MacHackers by the CCC) and in German blogs (e.g. MacMacken, see http://www.macmacken.com/2007/10/27/skype-mit-leopard-macken/).