Syncthing 0.13.7 invalid signature

kbtombul · June 24, 2016, 5:13pm

Recently OSX firewall started to ask me “Do you want the application “syncthing” to accept incoming network connections?” over and over.

I did some digging and learned that it might be related to code signing. It looks like the latest binary has an invalid signature:

➜  ~ brew services stop syncthing
Stopping `syncthing`... (might take a while)
==> Successfully stopped `syncthing` (label: homebrew.mxcl.syncthing)
➜  ~ brew uninstall syncthing
Uninstalling /usr/local/Cellar/syncthing/0.13.7... (6 files, 14.8M)
➜  ~ rm /Users/ktombul/Library/Caches/Homebrew/syncthing-0.13.7.el_capitan.bottle.tar.gz
➜  ~ brew install syncthing
==> Downloading https://homebrew.bintray.com/bottles/syncthing-0.13.7.el_capitan.bottle.tar.gz
######################################################################## 100.0%
==> Pouring syncthing-0.13.7.el_capitan.bottle.tar.gz
==> Caveats
To have launchd start syncthing now and restart at login:
  brew services start syncthing
Or, if you don't want/need a background service you can just run:
  syncthing
==> Summary
🍺  /usr/local/Cellar/syncthing/0.13.7: 6 files, 14.8M
➜  ~                                                               
➜  ~ syncthing --version && codesign --verify -vv `which syncthing`
syncthing v0.13.7 "Copper Cockroach" (go1.6.2 darwin-amd64) brew@elcapitanvm.local 2016-06-13 16:06:12 UTC
/usr/local/bin/syncthing: invalid signature (code or signature have been modified)
In architecture: x86_64

According to this thread it should be signed.

AudriusButkevicius · June 24, 2016, 5:56pm

It’s down to the brew people to sign it, we can’t force them. Releases on github are signed.

kbtombul · June 24, 2016, 6:38pm

Thanks, someone reported to them but they said they don’t sign the binaries. I am not sure how the previous versions were signed.

I resigned it myself and it works fine now.

Here is how I did it for reference (note that I already had a signing identity):

➜  ~ security find-identity -p codesigning                                                    

Policy: Code Signing
  Matching identities
  1) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "iPhone Developer: Kazim Tombul (XXXXXXXXXX)"
     1 identities found

  Valid identities only
  1) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "iPhone Developer: Kazim Tombul (XXXXXXXXXX)"
     1 valid identities found

➜  ~ sudo codesign --force --sign 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' `which syncthing`
Password:
/usr/local/bin/syncthing: replacing existing signature

➜  ~ codesign -vvv `which syncthing`
/usr/local/bin/syncthing: valid on disk
/usr/local/bin/syncthing: satisfies its Designated Requirement