Page 1 of 2

Unsigned apps in 4.0.5 and 4.0.6

Posted: Fri Mar 23, 2018 7:58 am
by cheungpat

In 4.0.6, unsigned apps (or apps with corrupted signature) are denied network access. I installed it and the behaviour is the same as what is described in the release notes:

Made Silent Mode actually silent again. Starting in Little Snitch 4.0.5, processes with certain code signature issues caused Connection Alerts to appear even during Silent Mode. These appeared in more situations than we originally intended, though, so we redesigned how this works. Now, no Connection Alerts will appear during Silent Mode (as it was before Little Snitch 4.0.5), but you may see a notification in the top-right corner of the screen about connections being denied due to code signature issues.

The problem is that I have tons of these unsigned apps. I am an application developer and running Android Studio emulator with Little Snitch 4.0.6 installed render the emulator inaccesible to the Internet.

I cannot find the preference option to unblock unsigned apps. If there is one, it would be great if you could let me know.

I am looking to installing Little Snitch 4.0.4 which has the old behavior in which network access of unsigned apps are monitored like other apps. But I couldn’t find the download link to the old version of Little Snitch. It would be great if you could publish that just like what you are doing in the older versions page.

Re: Unsigned apps in 4.0.6 - IntelliJ IDEA and Ruby

Posted: Mon Mar 26, 2018 9:40 pm
by Pluto1010

I'm experiencing major issues with the code signing in 4.0.6 too.
I'm using JetBrains IntelliJ IDEA for years now and actually in version 2017.3.5 (latest).
I'm also using RVM with ruby 2.4.3 for my actual project.

My problem is that IntelliJ creates logfiles inside "/Applications/IntelliJ".

Code: Select all

$ codesign --verbose=4 --verify /Applications/IntelliJ\
/Applications/IntelliJ a sealed resource is missing or invalid
file added: /Applications/IntelliJ
file added: /Applications/IntelliJ
file added: /Applications/IntelliJ

I've managed that by locking the folder in the folder properties using Finder. This prevents IntelliJ from creating files there.

Code: Select all

$ codesign --verbose=4 --verify /Applications/IntelliJ\
/Applications/IntelliJ valid on disk
/Applications/IntelliJ satisfies its Designated Requirement

Ok maybe this is an issue that should be addressed by JetBrains.

But I'm using Ruby:
And thats where it becomes difficult. Self-compiled or even prebuilt binaries from RVM (or Homebrew) are not signed. I would like to be able to tell Little Snitch that this is ok and it can ignore that. MacOS itself does not prohibit that I run my code using my tools!

Please help me as I have to uninstall LS if this stays like this. I would also like to install LS 4.0.4 as this worked before. The new behaviour may be an improvement in theory but in practice its just annoying! Sorry to say that :cry:


Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Tue Mar 27, 2018 10:12 am
by chrismcg
I am having this problem too with tools installed via homebrew. Any git https url is not blocked and I'm not able to enable git-remote-https to allow it. I had to turn off Little Snitch to do some updates.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Wed Mar 28, 2018 7:28 am
by Pluto1010
I got a response from Obdev to my support request via email:

There is no bug and there has to be no fix for this.
If you want to allow unsigned applications, remove the from Little Snitch created deny rule and create an allow rule which ignores the Code Signature. That does the trick.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Wed Mar 28, 2018 11:47 am
by chrismcg
Hrm... I added a rule for the binary, verified that the binary isn't signed and the rule doesn't require a valid code signature, and Little Snitch is still overriding my rule and disallowing the connection. I'll open an issue with support too.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Thu Mar 29, 2018 9:41 am
by Niag
Same issue here
Will have to un-install if it isn't sorted.
Using bind dns on a mac book, installed via homwbrew. This issue kills everything stone dead.
Not happy. What kind of upgrade is this? :?

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Thu Mar 29, 2018 10:01 am
by Niag
Try this for a work-a-round:
As noted above deleting the deny rule just gets it re-created and you can't give the allow rule higher priority than the deny rule.
Try turning the deny rule off. Do not delete, just untick the box.
Don't know yet if this will persist over a reboot but it appears to be holding up for now.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Thu Mar 29, 2018 10:16 am
by Niag
Scratch that.
Rule turned itself back on.

This is ridiculous!

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Thu Mar 29, 2018 10:47 am
by Niag
Support call opened.
Downgraded app to a working version.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Wed Apr 04, 2018 2:29 pm
by iovis
I'm having this issue as well, couldn't find a way to tell LS to trust this apps. It happens both with unsigned homebrew packages and with ruby versions I install via rbenv and I can't work properly unless I completely disable LS.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Fri Apr 06, 2018 2:13 am
by atb
Same problem, very frustrating. Downgraded to 4.0.4 and I'm able to allow the applications to work.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Fri Apr 06, 2018 7:20 am
by gashalot
I rarely sign up for forums, but I wanted to add another vote here. As a recent convert to the tool, I appreciate the intent behind the change, but it must be configurable. Too many (all?) of your users are admins, SREs, engineers, developers, or someone else who relies on tools that don't come with an Apple-approved signature. We've got to have a way to turn off the code signature rule or whitelist some applications as a regular connection.

From a threat perspective, I'd rather see you blacklist known tracking/ad companies first, instead of my development tools.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Mon Apr 09, 2018 9:45 am
by christian
You CAN configure it. When you double-click a rule in Little Snitch Configuration, you can edit its properties. One of the properties is whether a valid code signatures should be required.

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Mon Apr 09, 2018 10:44 am
by marco
As Christian wrote, there definitely is a way to tell Little Snitch that you want to ignore the code signature of a particular app or executable. We are aware that this is not easy to find, depending on how the issue presents itself the first time (e.g. Connection Alert vs. Silent Mode).

As is very clear from the feedback in this thread and via other means (Twitter, tech support), the workflow around executables with code signature issues is anything but straight-forward. There will be improvements to this in the next update, e.g. that these extra high priority code signature issue override rules will become editable. Right now, you can only delete them, not edit them. We will make them editable and when you change them, they will loose their extra high priority and instead become rules with regular priority that ignore the executable’s code signature.

For now, we updated the documentation around this issue. I hope you find the following sections especially helpful: ... osignature ... g-whattodo

Please let us know if you have ideas on how to improve the situation. Our goal is definitely not preventing things installed via Homebrew from working!

Re: Unsigned apps in 4.0.5 and 4.0.6

Posted: Tue Apr 10, 2018 3:58 pm
by ryanparrish
For others in this thread that might be still stuck with the blocking rule re-enabling itself after disabling it, you have to remove the code signature requirement on the *via* program. In my case I was trying to run svn from homebrew (which has no signature) in iTerm2 and I couldn't get it to work, the solution from reading the docs was to remove the code signature requirement from iTerm2. After I did that, there were no issues. Obviously this has some security implications for processes run in the terminal, but when the tradeoff is disabling LS then I think it's worthwhile. ... g-whattodo

Matching rules for an application exist, but the connecting via-process has no valid code signature

You are using the curl command in Terminal to connect to There is a rule for Terminal that allows connections to and that requires a valid code signature. This rule automatically covers any possible via process (like Terminal via curl) and it requires the via process to have a valid code signature, too (not a specific one – just any valid code signature). But if curl does not have a valid code signature, there’s a code signature mismatch.