SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

General discussions about Little Snitch
Mike1234
Posts: 4
Joined: Fri May 12, 2017 6:39 pm

SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Postby Mike1234 » Sun May 14, 2017 2:10 am

In light of what happened to an open source program handbrake recently
(you can read all about this here: https://arstechnica.com/security/2017/0 ... or-instead)

(lt;dr: official installer on an official mirror server got hacked and included a trojan. Btw, that trojan quits if it detects the presence of little snitch :D )

how do I know the dmg file I download, even from official little snitch website, is clean?
I can run codesign on terminal but that require me to mount the dmg file....which I am a bit afraid of without first verifying the download is clean.
The developer of little snitch don't seem to publish any sort of hash values for their dmg file (at least I cannot find it).
So I ran shasum on terminal and this is what I got for LittleSnitch-3.7.4.dmg downloaded on 2017-5-13 on their website.

sha1
868ad75623c60cb9ad428c7c1d3e5ae449a9033e
sha256
0ce3519d72affbc7910c24c264efa94aa91c9ad9b1a905c52baa9769156ea22

is there anyone can verify this is a clean dmg file? thanks

AJ0
Posts: 4
Joined: Sun Mar 13, 2016 10:13 pm

Re: SHA1 and SHA256 values for LittleSnitch

Postby AJ0 » Sun Dec 09, 2018 12:21 pm

I am really amazed that this post from 2017 never saw a response, in particular from the dev team.
And it seems still true today, no signatures publishes for any version of LS.
Do not believe or hope that it is enough that you download LS from a https:// secure site. That alone
is not guaranty that you run the code you think you run.

Hello, dev team, help ?? !!!

Georgy
Posts: 3
Joined: Sun Oct 09, 2016 6:35 pm

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Postby Georgy » Sun Dec 09, 2018 4:27 pm

Same for me, I think this issue is worth being addressed by the developers.
Publishing a simple MD5 or SHA hash for all released products is not a big effort. It may not be a silver bullet, but it cannot do any harm either.
Regards

Mike1234
Posts: 4
Joined: Fri May 12, 2017 6:39 pm

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Postby Mike1234 » Mon Dec 10, 2018 9:27 pm

I am quite surprised to get an email notice about someone responded to my year old post :D

I actually got a response from the developer and pointed out that in their FAQ on the website, they listed their developer id number and we can just check the code signature is signed by the correct ID.

I think this is a good compromise. Instead of publishing hash for every file they hosted, we can just check the developer ID is correct in the signature.

Georgy
Posts: 3
Joined: Sun Oct 09, 2016 6:35 pm

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Postby Georgy » Sat Dec 15, 2018 5:42 pm

While I do understand what a hash can do, and what it cannot for the user,
I am quite unfamiliar to what extent it is or is not possible to fake a developer ID.
My feeling is, it does not provide the same level protection and I don't know if this is a good compromise ... but :
Isn't it a piece of cake to create a hash number and upload it to your website after days and weeks of developing, coding, compiling ?

Mike1234
Posts: 4
Joined: Fri May 12, 2017 6:39 pm

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Postby Mike1234 » Sat Dec 15, 2018 6:30 pm

I think unless Apple got compromised, you cannot create a fake developer id signature.

As for hash, if someone can upload a fake installer, they might also be able to edit the webpage to change the published hash value. You might be able to find out later, it would be hard at the time of install.

Doesn’t google chrome installer for Mac have different hash every time you download? They also recommend use developer id to validate the file. I am not a security expert but if I see both apple and google okay with using developer signature to validate file. It might not be a bad idea.

Just my 2 cents.


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 2 guests