SHA1 and SHA256 values for LittleSnitch-3.7.4.dmg

[Mike1234]

In light of what happened to an open source program handbrake recently
(you can read all about this here: https://arstechnica.com/security/2017/0 ... or-instead)

(lt;dr: official installer on an official mirror server got hacked and included a trojan. Btw, that trojan quits if it detects the presence of little snitch )

how do I know the dmg file I download, even from official little snitch website, is clean?
I can run codesign on terminal but that require me to mount the dmg file....which I am a bit afraid of without first verifying the download is clean.
The developer of little snitch don't seem to publish any sort of hash values for their dmg file (at least I cannot find it).
So I ran shasum on terminal and this is what I got for LittleSnitch-3.7.4.dmg downloaded on 2017-5-13 on their website.

sha1
868ad75623c60cb9ad428c7c1d3e5ae449a9033e
sha256
0ce3519d72affbc7910c24c264efa94aa91c9ad9b1a905c52baa9769156ea22

is there anyone can verify this is a clean dmg file? thanks

[AJ0]

I am really amazed that this post from 2017 never saw a response, in particular from the dev team.
And it seems still true today, no signatures publishes for any version of LS.
Do not believe or hope that it is enough that you download LS from a https:// secure site. That alone
is not guaranty that you run the code you think you run.

Hello, dev team, help ?? !!!

[Georgy]

Same for me, I think this issue is worth being addressed by the developers.
Publishing a simple MD5 or SHA hash for all released products is not a big effort. It may not be a silver bullet, but it cannot do any harm either.
Regards

[Mike1234]

I am quite surprised to get an email notice about someone responded to my year old post

I actually got a response from the developer and pointed out that in their FAQ on the website, they listed their developer id number and we can just check the code signature is signed by the correct ID.

I think this is a good compromise. Instead of publishing hash for every file they hosted, we can just check the developer ID is correct in the signature.

[Georgy]

While I do understand what a hash can do, and what it cannot for the user,
I am quite unfamiliar to what extent it is or is not possible to fake a developer ID.
My feeling is, it does not provide the same level protection and I don't know if this is a good compromise ... but :
Isn't it a piece of cake to create a hash number and upload it to your website after days and weeks of developing, coding, compiling ?

[Mike1234]

I think unless Apple got compromised, you cannot create a fake developer id signature.

As for hash, if someone can upload a fake installer, they might also be able to edit the webpage to change the published hash value. You might be able to find out later, it would be hard at the time of install.

Doesn’t google chrome installer for Mac have different hash every time you download? They also recommend use developer id to validate the file. I am not a security expert but if I see both apple and google okay with using developer signature to validate file. It might not be a bad idea.

Just my 2 cents.