Page 1 of 1

SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Posted: Sun May 14, 2017 2:10 am
by Mike1234
In light of what happened to an open source program handbrake recently
(you can read all about this here: ... or-instead)

(lt;dr: official installer on an official mirror server got hacked and included a trojan. Btw, that trojan quits if it detects the presence of little snitch :D )

how do I know the dmg file I download, even from official little snitch website, is clean?
I can run codesign on terminal but that require me to mount the dmg file....which I am a bit afraid of without first verifying the download is clean.
The developer of little snitch don't seem to publish any sort of hash values for their dmg file (at least I cannot find it).
So I ran shasum on terminal and this is what I got for LittleSnitch-3.7.4.dmg downloaded on 2017-5-13 on their website.


is there anyone can verify this is a clean dmg file? thanks

Re: SHA1 and SHA256 values for LittleSnitch

Posted: Sun Dec 09, 2018 12:21 pm
by AJ0
I am really amazed that this post from 2017 never saw a response, in particular from the dev team.
And it seems still true today, no signatures publishes for any version of LS.
Do not believe or hope that it is enough that you download LS from a https:// secure site. That alone
is not guaranty that you run the code you think you run.

Hello, dev team, help ?? !!!

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Posted: Sun Dec 09, 2018 4:27 pm
by Georgy
Same for me, I think this issue is worth being addressed by the developers.
Publishing a simple MD5 or SHA hash for all released products is not a big effort. It may not be a silver bullet, but it cannot do any harm either.

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Posted: Mon Dec 10, 2018 9:27 pm
by Mike1234
I am quite surprised to get an email notice about someone responded to my year old post :D

I actually got a response from the developer and pointed out that in their FAQ on the website, they listed their developer id number and we can just check the code signature is signed by the correct ID.

I think this is a good compromise. Instead of publishing hash for every file they hosted, we can just check the developer ID is correct in the signature.

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Posted: Sat Dec 15, 2018 5:42 pm
by Georgy
While I do understand what a hash can do, and what it cannot for the user,
I am quite unfamiliar to what extent it is or is not possible to fake a developer ID.
My feeling is, it does not provide the same level protection and I don't know if this is a good compromise ... but :
Isn't it a piece of cake to create a hash number and upload it to your website after days and weeks of developing, coding, compiling ?

Re: SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

Posted: Sat Dec 15, 2018 6:30 pm
by Mike1234
I think unless Apple got compromised, you cannot create a fake developer id signature.

As for hash, if someone can upload a fake installer, they might also be able to edit the webpage to change the published hash value. You might be able to find out later, it would be hard at the time of install.

Doesn’t google chrome installer for Mac have different hash every time you download? They also recommend use developer id to validate the file. I am not a security expert but if I see both apple and google okay with using developer signature to validate file. It might not be a bad idea.

Just my 2 cents.