Mac OS X firewall: accept incoming network connections

If you are running a personal firewall on OS X and are getting the annoying message "Accept incoming Network Connections" every time you open a Java application, here's a solution...

I searched the web for a solution and found things like updating the JavaApplicationStub, deleting the "com.apple.alf.plist" file and code signing. I tried all of these and found the best solution was code signing.

Here are the steps I took to solve the problem (in OS X Lion):

Step 1: Create a signed certificate

1. Open 'Keychain Access'.
2. Go to the Keychain Access menu, and under Certificate Assistant, choose 'Create a Certificate'.
3. Name your Certificate (I recommend using something other than your first and last names).
4. For Identity Type: choose 'Self Signed Root'.
5. For Certificate Type: choose 'Code Signing'.
6. Make sure 'Let me override defaults' is checked and click 'Continue'.
7. Under Serial Number, just use a random number. It's very important no other certificate on your system has the same name and/or serial number.
8. Give it a long validity period (For a little over 5 years, use 2000 days. For almost 11 years, choose 4000 days).
9. Enter your personal information on the next screen. Have fun with Organization and Organizational Unit. After all, this is just for your personal use. Just don't use "Apple". Click 'Continue' when everything is filled out.
10. For 'Key Pair Information', 'Key Usage Extension', 'Extended Key Usage Extension', 'Basic Constraints Extension' and 'Subject Alternate Name Extension': Just accept the defaults and click 'Continue'.
15. Use your 'Login' keychain to store the certificate and click 'Continue'.
16. Now you have to set your certificate to 'Trusted'.
17. Go to your keychain, and right click (ctrl-click) on the new certificate you made and choose 'Get Info'.
18. Open the triangle next to 'Trust'.
19. Go down to Code Signing: choose 'Always Trust'.
20. Close the box. The system will ask for your admin password. Enter it and click 'OK'.

Step 2: Sign an application

Check if an application is not properly signed:

1. Open the 'Terminal'.
2. Type: codesign -f -s (name of certificate) /path/to/application

Example of a not properly signed app:
Typed: codesign -vvv Aqua\ Data\ Studio.app/
Result: Aqua Data Studio.app/: invalid signature (code or signature have been modified)
In architecture: i386

Sign an app:
3. Type: codesign -s "My Signing Identity" -f Aqua\ Data\ Studio.app/
Result: Aqua Data Studio.app/: replacing invalid existing signature

Check the result:
4. Type: codesign -vvv Aqua\ Data\ Studio.app/
Result: Aqua Data Studio.app/: valid on disk
Aqua Data Studio.app/: satisfies its Designated Requirement

After doing this, you have to accept the incoming network connections only once when you open your application. Ok... so admittedly, this is quite a bit of work, but if it's annoying you as much as it was annoying me, this is the way to fix it!