ctwise wrote:As far as I know, only *.app bundles can be signed which means that apps that install command-line tools outside of their app bundles can't sign those command-line tools. So /usr/local/clamXav/bin/freshclam won't have a signature.
Just to clarify: Plain old executables like command-line tools can actually be signed just the same as app bundles (also .framework bundles, .dylib libraries, etc.). Little Snitch does check that, too.
ctwise wrote:If you later update an app you would expect to get a LittleSnitch warning that the application signature had changed.
Actually, the relevant parts of the code signature do not change when you install an update of an app. The signature is used by macOS as well as Little Snitch to identify the app across version changes. It contains the bundle identifier of the app (like at.obdev.LittleSnitchConfiguration) and the developer’s unique team identifier that is provided by Apple (like MLZF7K7B5R for Objective Development). The only reason the code signature of an app or a process needs to change is if one or both of those two identifiers change.
If that happens, Little Snitch will alert you if you have existing rules that require the old code signature. Also, macOS forces the app to ask again for permissions to access your Contacts, Calendars, Reminders, Location, Keychain Access, etc.
One of the most likely scenarios for this is when a developer sells the code of an app to another developer and therefore the next version of the app will have a code signature with a different team identifier.