(you can read all about this here: https://arstechnica.com/security/2017/0 ... or-instead)
(lt;dr: official installer on an official mirror server got hacked and included a trojan. Btw, that trojan quits if it detects the presence of little snitch

how do I know the dmg file I download, even from official little snitch website, is clean?
I can run codesign on terminal but that require me to mount the dmg file....which I am a bit afraid of without first verifying the download is clean.
The developer of little snitch don't seem to publish any sort of hash values for their dmg file (at least I cannot find it).
So I ran shasum on terminal and this is what I got for LittleSnitch-3.7.4.dmg downloaded on 2017-5-13 on their website.
sha1
868ad75623c60cb9ad428c7c1d3e5ae449a9033e
sha256
0ce3519d72affbc7910c24c264efa94aa91c9ad9b1a905c52baa9769156ea22
is there anyone can verify this is a clean dmg file? thanks