[Frodo] Firewall popup - allow incoming connections
#31
(2014-03-07, 03:42)matman_uk Wrote: Just spread the love in other ways dude - help an old lady across the street if yr XBMC is making you happy Angel

Would love to know if this airplay issue (I tested this the other night and came to the exact same conclusion before finding this thread) is fixed in Gotham or if the popup problem remains? I'm guessing its the same deal.... as the issue is with Mavericks not XBMC.

If it's with Mavericks, why is XBMC the only program many of us have seen that has the problem? Not all my software is signed (hell most of it isn't). I'm not saying it's something XBMC is doing but I'm not dismissing it either.
THEATER: Epson 3100 3D Projector, DaLite 92" screen, 11.1.6 (Marantz SR7012 + Yamaha HTR-5960 + Onkyo ESPro) - Mixed Dialog Lift  - PSB T45/B15/S50/X1T/CS500 Speakers & Def Tech PF-1500 15" sub ; Sources: PS4, LG UP875 UHD, Nvidia Shield (KODI), ATV4K, Zidoo X9S (ZDMC), LD, GameCube
Reply
#32
Hey Ill been researching the problem with "allowing incoming connections" It seems Apple made a change in MacOSX 10.9 Mavericks. It has to do with the way XBMC.app is code signed. The frameworks specifically, python2.6 directory files need to be individually code signed during the initial build. I am not a programmer so Im not sure how to go any further. But l linked some websites that have a deeper insight into the problem. http://stackoverflow.com/questions/19637...r-osx-10-9 I hope this helps to repair this issue.
Reply
#33
XBMC Firewall issue
So this is a collection of all the advice I found to solve the problem of Firewall Popup on XBMC
The first step is to obtaining a code signing certificate

In order to sign applications, you need to have a code signing certificate in your keychain.
If you're doing it just to modify applications for your own use (or you're a freeware or shareware developer who doesn't want the independent verification), you can generate your own certificate to use. This is done using the Keychain Access application, in the Utilities folder. Here's how:

1. Open Keychain Access.
2. Go to the Keychain Access menu, and under Certificate Assistant, choose Create a Certificate
3. Name your Certificate. (XBMC)
4. For Type, choose Self Signed Root.
5. Make sure Let me override defaults is checked and click Continue.
6. Under Serial Number, use a random number. Just make sure there is no other certificate on your system with the same name and serial number
7. Give yourself a sufficiently long validity period. For a little over 5 years, use 2000 days. For almost 11 years, choose 4000 days.
8. Under Certificate Type, choose Code Signing, and click Continue.
9. Enter your personal information on the next screen. Have fun with Organization and Organizational Unit. After all, this is for your own personal use. Don't use "Apple." I myself used something like "Orange Computer" for Organization and "Hacking Department" for Organizational Unit. Click Continue when all has been filled out.
10. For Key Pair Information, accept the defaults and click Continue.
11. For Key Usage Extension, accept the defaults and click Continue.
12. For Extended Key Usage Extension, accept the defaults and click Continue.
13. For Basic Constraints Extension, accept the defaults and click Continue.
14. For Subject Alternate Name Extension, accept the defaults and click Continue.
15. Use your "login" keychain to store the certificate and click Continue.
16. Now you have to set your certificate to be "trusted."
17. Go to your keychain, and right click (control click) on the new certificate you made and choose Get Info.
18. Open the triangle next to Trust.
19. Go down to Code Signing, and choose Always Trust.
20. Close the box. The system will ask for your admin password. Enter it and click OK.

Next step
Downloaded python 2.6 here extracted the zip file and copied FolderExtracted//Python-2.6.9/Mac/Resources/framework/Info.plist.in to /Applications/XBMC.app/Contents/Frameworks/lib/python2.6/. I renamed the file from Info.plist.in to Info.plist and ran the self-sign code mentioned earlier in this thread.

Run the code sign command on the terminal app.

codesign -s XBMC -f --deep /Applications/XBMC.app/

First time you try it will fail. And your Mac should want to install Apple’s Command Line Install Tool. That's good let the computer install it. Once installed run the command on the terminal again. codesign -s XBMC -f --deep /Applications/XBMC.app/

Then verify that it worked by running
codesign -vvv /Applications/XBMC.app/

Last but not least is to go to System Preferences, Security&Privacy, Firewall. In Firewall Options, Add XBMX.app to "allow incoming connections” If you already have XBMC on the list delete it and then add it again

This should get you most of the way there. It worked for me. Good luck
Reply
#34
That seems like an excessively complicated route to solve a problem that didn't exists on previous versions of XBMC. Hopefully this problem will not be present in Gotham
Mac mini 2012
Drobo 4 bay
4 three terabyte HHD
Drobo 5 bay
5 four terabyte HHD
Reply
#35
No kindling!
If I had known it would take all that I would not have bothered. Its really a programming issue caused by OSX Mavericks changing the way it handles code signatures.
Reply
#36
Yeah, I'm sure all the other software out there (literally everything I have anyway) had to go to hell and high water to avoid Mavericks Firewall problems. In other words, like I said above, it's funny how they ALL work just fine in Mavericks and only XBMC has an issue.

My interim solution (until such time as someone on the XBMC team blesses us with an actual fix) is to just turn off Airplay in XBMC until I actually need to use it (not often given my AppleTVs have their own Airplay support built-in). The firewall issue just disappears then (well Airplay isn't the only thing that can make it crop up, but the rest are things I don't use either).
THEATER: Epson 3100 3D Projector, DaLite 92" screen, 11.1.6 (Marantz SR7012 + Yamaha HTR-5960 + Onkyo ESPro) - Mixed Dialog Lift  - PSB T45/B15/S50/X1T/CS500 Speakers & Def Tech PF-1500 15" sub ; Sources: PS4, LG UP875 UHD, Nvidia Shield (KODI), ATV4K, Zidoo X9S (ZDMC), LD, GameCube
Reply
#37
This wiki post on an unrelated app called Serviio with the same problem is very good ..

In essence they state something in the app within the folder structure covered by the signature is changing and that once this has happened the only way to fix it is to manually resign the app.

From above:

Quote:Whenever the system encounters an unsigned application that requests access to the keychain or network, the application is signed ad-hoc with some self-signed certificate (presumably created at system install time, not sure there).

Now, Serviio stores its Apache Derby database and the log in Serviio.app/Resources/Java/library and Serviio.app/Resources/Java/log respectively. Thus the signature created during the first launch of Serviio, after the user confirmed network access, does not mach the bundle's actual contents during the next launch, and the system reacts by making the user confirm network access again manually. Note that OSX never updated a bundle's signature, it only creates one if none exists. Thus, once the bundle is modified after the first launch, the dialog requesting network access pops up on every further start.

Luckily, however, the solution is quite simply. OSX does allow application to modify their own bundle, it just requires one to clearly seperate between volatile and non-volatile content. By default, only Files under Contents/MacOS and Contents/Resources/ are included in the bundle's signature.

So lets assume the system must sign XBMC as part of "first run" confirmation or when xbmc is added as a firewall exception.

Then something changes..

Firewall complains and complains and complains ...

Makes sense to me. Question is can someone more knowledgeable about XBMC guess what it is.
Reply
#38
I've upgraded to Gotham and am still having this problem. So every time I boot up XBMC i have to get up off the couch go to my computer minimize the XBMC window do that i can give it permission. not only is this incredibly frustrating and annoying I really expected it to be fixed in Gotham. The only other program that does this is filebot which I use to rename my media. But that I can handle since I'm at my computer not on my couch with a remote instead of a mouse and keyboard.
Mac mini 2012
Drobo 4 bay
4 three terabyte HHD
Drobo 5 bay
5 four terabyte HHD
Reply
#39
I don't understand all the technical details of why this happens, but I get the feeling that this -really- isn't XBMC's problem. The issue seems to be that if you want to use Apple's firewall and Apple's various security precautions then you have to play by Apple's rules. Apple gets more strict every year (and I don't blame them when it helps the average user). By default, you can't even install XBMC without bypassing gatekeeper, for example. If the devs have time and think it's worthwhile, then maybe one of them will find a way around Apple's requirements and restrictions, but eventually it's going to get to a point where you have to turn off more Apple security stuff to even use applications that aren't sandboxed or aren't signed by an Apple developer ID.

There's little incentive for a dev to fix this problem for other reasons. For one, not a lot of people enable the computer-level firewall. If your local network is protected (wifi password) then even the cheapest router will provide a firewall that is just as good. People typically dedicate a machine to run XBMC, and there often isn't much of a need to have high security features on something that is just a media center.

Maybe this is bad security philosophy, I don't know, but it seems like the easiest solution is right in front of everyone: stop using Apple's firewall. There are even other software firewalls out there that you can install on Mac OS X, like Little Snitch.
Reply
#40
Deleted ..
Reply
#41
FIY https://github.com/xbmc/xbmc/pull/4926

This might be enough for getting it right for the future (osx signs the app itself in mavericks once it has a proper structure). So in the end there shouldn't be any codesign fiddle required anymore.

Try this testbuild which should work with enabled firewall settings (it might ask once if it should be allowed in the firewall):

http://mirrors.xbmc.org/test-builds/osx/...x86_64.dmg

I tested in on 10.9.3 - would be great to hear back from older osx versions too.
AppleTV4/iPhone/iPod/iPad: HowTo find debug logs and everything else which the devs like so much: click here
HowTo setup NFS for Kodi: NFS (wiki)
HowTo configure avahi (zeroconf): Avahi_Zeroconf (wiki)
READ THE IOS FAQ!: iOS FAQ (wiki)
Reply
#42
It worked fine in 10.9.2 (asked once but never again).

I tested it in 10.6.8 as well and saw no nag requests, but then I'm not sure if they ever showed up in Snow Leopard to begin with.
THEATER: Epson 3100 3D Projector, DaLite 92" screen, 11.1.6 (Marantz SR7012 + Yamaha HTR-5960 + Onkyo ESPro) - Mixed Dialog Lift  - PSB T45/B15/S50/X1T/CS500 Speakers & Def Tech PF-1500 15" sub ; Sources: PS4, LG UP875 UHD, Nvidia Shield (KODI), ATV4K, Zidoo X9S (ZDMC), LD, GameCube
Reply
#43
Tested in Mavericks - all good now. Fantastic stuff Memphiz
Reply
#44
Great, with XBMC 14.0.alpha1 and OSX 10.9.4 no Firewall popup anymore!
thx Memphiz
Reply
#45
On my system I only needed to replace the DOCTYPE and version lines in Kodi's plist file with the one's from python, rather than replacing the entire plist file.. This let the app stay identified as Kodi
Reply

Logout Mark Read Team Forum Stats Members Help
[Frodo] Firewall popup - allow incoming connections0