Unsigned apps in 4.0.5 and 4.0.6

General discussions about Little Snitch
cheungpat
Posts: 1
Joined: Fri Mar 23, 2018 7:49 am

Unsigned apps in 4.0.5 and 4.0.6

Post by cheungpat » Fri Mar 23, 2018 7:58 am

Hi,

In 4.0.6, unsigned apps (or apps with corrupted signature) are denied network access. I installed it and the behaviour is the same as what is described in the release notes:

Made Silent Mode actually silent again. Starting in Little Snitch 4.0.5, processes with certain code signature issues caused Connection Alerts to appear even during Silent Mode. These appeared in more situations than we originally intended, though, so we redesigned how this works. Now, no Connection Alerts will appear during Silent Mode (as it was before Little Snitch 4.0.5), but you may see a notification in the top-right corner of the screen about connections being denied due to code signature issues.


The problem is that I have tons of these unsigned apps. I am an application developer and running Android Studio emulator with Little Snitch 4.0.6 installed render the emulator inaccesible to the Internet.

I cannot find the preference option to unblock unsigned apps. If there is one, it would be great if you could let me know.

I am looking to installing Little Snitch 4.0.4 which has the old behavior in which network access of unsigned apps are monitored like other apps. But I couldn’t find the download link to the old version of Little Snitch. It would be great if you could publish that just like what you are doing in the older versions page.

Pluto1010
Posts: 2
Joined: Mon Mar 26, 2018 9:11 pm

Re: Unsigned apps in 4.0.6 - IntelliJ IDEA and Ruby

Post by Pluto1010 » Mon Mar 26, 2018 9:40 pm

Hello!

I'm experiencing major issues with the code signing in 4.0.6 too.
I'm using JetBrains IntelliJ IDEA for years now and actually in version 2017.3.5 (latest).
I'm also using RVM with ruby 2.4.3 for my actual project.

My problem is that IntelliJ creates logfiles inside "/Applications/IntelliJ IDEA.app/Contents/bin".

Code: Select all

$ codesign --verbose=4 --verify /Applications/IntelliJ\ IDEA.app
/Applications/IntelliJ IDEA.app: a sealed resource is missing or invalid
file added: /Applications/IntelliJ IDEA.app/Contents/bin/soapui.log
file added: /Applications/IntelliJ IDEA.app/Contents/bin/soapui-errors.log
file added: /Applications/IntelliJ IDEA.app/Contents/bin/global-groovy.log


I've managed that by locking the folder in the folder properties using Finder. This prevents IntelliJ from creating files there.

Code: Select all

$ codesign --verbose=4 --verify /Applications/IntelliJ\ IDEA.app
/Applications/IntelliJ IDEA.app: valid on disk
/Applications/IntelliJ IDEA.app: satisfies its Designated Requirement


Ok maybe this is an issue that should be addressed by JetBrains.

But I'm using Ruby:
And thats where it becomes difficult. Self-compiled or even prebuilt binaries from RVM (or Homebrew) are not signed. I would like to be able to tell Little Snitch that this is ok and it can ignore that. MacOS itself does not prohibit that I run my code using my tools!

Please help me as I have to uninstall LS if this stays like this. I would also like to install LS 4.0.4 as this worked before. The new behaviour may be an improvement in theory but in practice its just annoying! Sorry to say that :cry:

Image

chrismcg
Posts: 2
Joined: Tue Mar 27, 2018 10:04 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by chrismcg » Tue Mar 27, 2018 10:12 am

I am having this problem too with tools installed via homebrew. Any git https url is not blocked and I'm not able to enable git-remote-https to allow it. I had to turn off Little Snitch to do some updates.

Pluto1010
Posts: 2
Joined: Mon Mar 26, 2018 9:11 pm

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by Pluto1010 » Wed Mar 28, 2018 7:28 am

I got a response from Obdev to my support request via email:

There is no bug and there has to be no fix for this.
If you want to allow unsigned applications, remove the from Little Snitch created deny rule and create an allow rule which ignores the Code Signature. That does the trick.

chrismcg
Posts: 2
Joined: Tue Mar 27, 2018 10:04 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by chrismcg » Wed Mar 28, 2018 11:47 am

Hrm... I added a rule for the binary, verified that the binary isn't signed and the rule doesn't require a valid code signature, and Little Snitch is still overriding my rule and disallowing the connection. I'll open an issue with support too.

Niag
Posts: 4
Joined: Thu Mar 29, 2018 9:37 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by Niag » Thu Mar 29, 2018 9:41 am

Same issue here
Will have to un-install if it isn't sorted.
Using bind dns on a mac book, installed via homwbrew. This issue kills everything stone dead.
Not happy. What kind of upgrade is this? :?

Niag
Posts: 4
Joined: Thu Mar 29, 2018 9:37 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by Niag » Thu Mar 29, 2018 10:01 am

Try this for a work-a-round:
As noted above deleting the deny rule just gets it re-created and you can't give the allow rule higher priority than the deny rule.
Try turning the deny rule off. Do not delete, just untick the box.
Don't know yet if this will persist over a reboot but it appears to be holding up for now.

Niag
Posts: 4
Joined: Thu Mar 29, 2018 9:37 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by Niag » Thu Mar 29, 2018 10:16 am

Scratch that.
Rule turned itself back on.

This is ridiculous!

Niag
Posts: 4
Joined: Thu Mar 29, 2018 9:37 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by Niag » Thu Mar 29, 2018 10:47 am

Support call opened.
Downgraded app to a working version.

iovis
Posts: 3
Joined: Wed Apr 04, 2018 2:28 pm

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by iovis » Wed Apr 04, 2018 2:29 pm

I'm having this issue as well, couldn't find a way to tell LS to trust this apps. It happens both with unsigned homebrew packages and with ruby versions I install via rbenv and I can't work properly unless I completely disable LS.

atb
Posts: 2
Joined: Fri Apr 06, 2018 2:12 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by atb » Fri Apr 06, 2018 2:13 am

Same problem, very frustrating. Downgraded to 4.0.4 and I'm able to allow the applications to work.

gashalot
Posts: 1
Joined: Fri Apr 06, 2018 7:16 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by gashalot » Fri Apr 06, 2018 7:20 am

I rarely sign up for forums, but I wanted to add another vote here. As a recent convert to the tool, I appreciate the intent behind the change, but it must be configurable. Too many (all?) of your users are admins, SREs, engineers, developers, or someone else who relies on tools that don't come with an Apple-approved signature. We've got to have a way to turn off the code signature rule or whitelist some applications as a regular connection.

From a threat perspective, I'd rather see you blacklist known tracking/ad companies first, instead of my development tools.

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by christian » Mon Apr 09, 2018 9:45 am

You CAN configure it. When you double-click a rule in Little Snitch Configuration, you can edit its properties. One of the properties is whether a valid code signatures should be required.

marco
Objective Development
Objective Development
Posts: 64
Joined: Mon Jul 28, 2014 3:00 pm
Location: Vienna, Austria

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by marco » Mon Apr 09, 2018 10:44 am

As Christian wrote, there definitely is a way to tell Little Snitch that you want to ignore the code signature of a particular app or executable. We are aware that this is not easy to find, depending on how the issue presents itself the first time (e.g. Connection Alert vs. Silent Mode).

As is very clear from the feedback in this thread and via other means (Twitter, tech support), the workflow around executables with code signature issues is anything but straight-forward. There will be improvements to this in the next update, e.g. that these extra high priority code signature issue override rules will become editable. Right now, you can only delete them, not edit them. We will make them editable and when you change them, they will loose their extra high priority and instead become rules with regular priority that ignore the executable’s code signature.

For now, we updated the documentation around this issue. I hope you find the following sections especially helpful:
https://help.obdev.at/littlesnitch/#/ad ... osignature
https://help.obdev.at/littlesnitch/#/ad ... g-whattodo

Please let us know if you have ideas on how to improve the situation. Our goal is definitely not preventing things installed via Homebrew from working!

ryanparrish
Posts: 1
Joined: Fri Apr 06, 2018 7:24 pm

Re: Unsigned apps in 4.0.5 and 4.0.6

Post by ryanparrish » Tue Apr 10, 2018 3:58 pm

For others in this thread that might be still stuck with the blocking rule re-enabling itself after disabling it, you have to remove the code signature requirement on the *via* program. In my case I was trying to run svn from homebrew (which has no signature) in iTerm2 and I couldn't get it to work, the solution from reading the docs was to remove the code signature requirement from iTerm2. After I did that, there were no issues. Obviously this has some security implications for processes run in the terminal, but when the tradeoff is disabling LS then I think it's worthwhile.

https://help.obdev.at/littlesnitch/#/ad ... g-whattodo

Matching rules for an application exist, but the connecting via-process has no valid code signature
Example:

You are using the curl command in Terminal to connect to example.com. There is a rule for Terminal that allows connections to example.com and that requires a valid code signature. This rule automatically covers any possible via process (like Terminal via curl) and it requires the via process to have a valid code signature, too (not a specific one – just any valid code signature). But if curl does not have a valid code signature, there’s a code signature mismatch.

Post Reply