Jump to content

Workflows that access internet always blocked by Little Snitch


Recommended Posts

Big Sur beta 9
Alfred 1.4.2 [1175]

Little Snitch 5.0 preview (6130)

 

I use Little Snitch to block various tracking info that apps may try to send back. Over the years, Little Snitch and Alfred have worked flawlessly. However, the update to big Sur and changes to network monitoring APIs have created an issue for me. Apparently Alfred workflows work without being signed; which does make sense because they're third party additions. Woever, because of this, and that Alfred runs this process from a different source every time, it is impossible for me to actually flag any of the processes as acceptable. I accept it once, and then immediately try to run the process again only to get another issue as the hashed source has changed.

 

Is there any possible fix I can run on Alfred to allow me to use workflows, or a fix in the future? Or am I seemingly out of luck with this?

 

Below are examples of the exact same process calling from different hashed sources:

 

2045033445_ScreenShot2020-10-02at4_21_20PM.png.8457b651c78bee1e1c155ebd45d7fc60.png 

 

 1168641359_ScreenShot2020-10-02at4_22_06PM.png.a4ef0367728eff407a714a0a10d322c9.png

Link to post
Share on other sites

You need to talk to the Little Snitch developers. Alfred hasn't changed; Little Snitch has.

 

There's nothing Alfred can do to trick Little Snitch into running a workflow because it would be a critical flaw in Little Snitch if it could.

 

Workflow developers aren't going to start signing their binaries because you need a paid Apple developer account to do so.

Edited by deanishe
Link to post
Share on other sites
9 minutes ago, deanishe said:

You need to talk to the Little Snitch developers. Alfred hasn't changed; Little Snitch has.

 

There's nothing Alfred can do to trick Little Snitch into running a workflow because it would be a critical flaw in Little Snitch if it could.

 

Workflow developers aren't going to start signing their binaries because you need a paid Apple developer account to do so.

I have contacted Little Snitch, and I'm waiting back from them. I was hoping there was something else going on that I could work around.

 

I was able to get the speedtest, dark sky, and giphy workflows to work, because they doesn't run out of a new cache every time so I can just flag the process as okay. Is it just the nature of certain workflows that they have to create a cache every time, whereas certain workflows can just run out of the workflow location?

 

Link to post
Share on other sites
8 hours ago, RothOfKhan said:

Is it just the nature of certain workflows that they have to create a cache every time, whereas certain workflows can just run out of the workflow location?

 

Hard to say for certain because you didn’t give any examples of workflows that Little Snitch doesn’t like, but I’d guess it’s caused by workflows that use Alfred’s {query} text macro in their scripts. That means that Alfred has to rewrite the script each time it runs it, which is probably what’s triggering Little Snitch.


You could try rewriting one of the offending workflows to use ARGV instead of {query} and see if that stops LS complaining.

Link to post
Share on other sites
15 hours ago, deanishe said:

 

Hard to say for certain because you didn’t give any examples of workflows that Little Snitch doesn’t like, but I’d guess it’s caused by workflows that use Alfred’s {query} text macro in their scripts. That means that Alfred has to rewrite the script each time it runs it, which is probably what’s triggering Little Snitch.


You could try rewriting one of the offending workflows to use ARGV instead of {query} and see if that stops LS complaining.

That might be it. It seems like for the most part the ones that I'm having an issue with, have queries now that I've figured out how to allow some of them.

 

Some of the ones that Little Snitch doesn't like are:

Reddit for Alfred [it doesn't like the location that reddit.py queries from when it accesses background.pyc]  (though that one's weird because it works for a little bit after I allow the process and had seemingly been working the last couple hours, so maybe this one was simple)

Searchio! [it doesn't like that it has Alfred connect to the internet out of /Users/[username]/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/E0907A41-FE9C-4F94-9261-3E14A0EF99AF (and a different folder every time).

Mediathorn - same as Searchio.
Urban Dictionary - Seems to be have the same as Reddit for Alfred

 

So the ones for sure that LS doesn't like are Searchio and Mediathorn, and maybe the other two but now I'm less certain on those two.

 

How hard are we talking for someone who knows very little about coding to be able to rewrite to use ARGV over query, assuming that might be the culprit?

 

Link to post
Share on other sites
On 10/4/2020 at 12:56 AM, RothOfKhan said:

Reddit for Alfred [it doesn't like the location that reddit.py queries from when it accesses background.pyc]  (though that one's weird because it works for a little bit after I allow the process and had seemingly been working the last couple hours, so maybe this one was simple)

 

It’ll probably give you issues repeatedly if LS complains about background.pyc. That’s the mechanism the workflow (and many others) use to update cached data in background processes (available updates, lists of subreddits, etc.) So LS will likely start complaining the next time the workflow wants to cache some data (after 24h at the latest, which is how often it checks for updates).

 

On 10/4/2020 at 12:56 AM, RothOfKhan said:

How hard are we talking for someone who knows very little about coding to be able to rewrite to use ARGV over query, assuming that might be the culprit?

 

It should be fairly simple with the two of those I wrote (Reddit and Searchio!), as I tend to treat Alfred’s Script box like a shell command and just write /path/to/script {query}.


If LS doesn’t like the background script, however, that’s a whole different ballgame. I’m not sure there’s any way to fix that.

Link to post
Share on other sites
  • 1 month later...
3 hours ago, Samwise said:

@RothOfKhan did you hear anything back from LS?

 

Big Sur and Little Snitch 5 both are now publicly available, and LS is playing havoc with my workflows.

 

Little Snitch put out an update today (5.0.2) with the following change:

 

Quote

Improvements

  • If the identity of a process is not checked, the identity of helper processes is now also not checked. This is a concession to the fact that apps without code signature usually ship with helpers that have no code signature. In addition, it allows iOS developers to disable identity checks on Xcode, thereby disabling identity checks on simulator apps running in Xcode's debugger.

 

 

With this, I've been able to turn off identity check for the processes I use, and so far it appears that all of my searches work as intended now. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...