Adium is not signed with a developer certificate?

[vintagedave]

I just downloaded Adium from adium.im; the page says it's version 1.5.10.2. I'm running El Capitan 10.11.5, and my security settings are to only run apps from the Mac app store and identified developers.

When launching Adium, I get the message "Adium cannot be opened because the identity of the developer cannot be confirmed", which indicates the app is not signed with a known developer certificate. Oddly enough, there is no exact match on Google for this message when referring to the Adium client. This makes me worried that this is a new issue, which implies that the download from the site is not actually an official download built by the Adium dev team. (Not trying to be alarmist here, but it's a reasonable assumption it's normally signed, since that's standard for all software including open source, and no-one's asked about it being unsigned before according to Google, which makes the current situation odd.)

Is Adium usually signed? (I assume yes, it's very unlikely such a well-known app isn't.)
If so, why is the current download not signed?

[Zorg]

The issue is known.

[vintagedave]

Quote from the issue:

I suspect users are going away because of the huge security warning OS X is giving them...
I know I personally wasted a bunch of time trying to track down whether the download had been compromised and what was wrong before I found this Trac ticket.

That was the most recent comment on the issue, and was from February, four months ago. I spent a lot of time trying to figure out if the download was compromised too.

Any chance on fixing this? Unsigned software's rather unprofessional these days anyway, but on OSX for a well-known app in the wake of stories like the Transmission hack, it's really not expected - particularly that it hasn't been signed for a long time and it's not a priority for the developers, which in turn raises concerns about the project's security attitude as a whole. It makes the project appear an unreliable source. With that kind of attitude, even if it was signed, what guarantees are there that users can rely on the code itself being uncompromised and reliable? You need to be able to have a level of trust in the security attitude of a project.

[vintagedave]

Just following up here - I clicked the bug link to see if there were any comments indicating progress or that, as a security item, it had been bumped to a higher priority... and the bug tracking website's SSL certificate has expired, a week ago.

I'm not quite sure what to say here. I'm trying to communicate that security is important, especially in 2016, especially for a widely-used app. I got a four-word reply, and no reply to my followup, and then it appears the bug tracking website's certificates aren't even kept updated, a minor thing but indicative. I'm not sure what I could write here that could make the developers' attitude towards their users security sound any worse.

Any comment at all? Please?

[Zorg]

I, like you, am not representative of the Adium project in any way. I just happened to stumble across here.

What it looks like to me is that the team is lacking in resources, developers, or availability to properly maintain Adium, rather than them simply not caring or having a bad "attitude." It's a free project after all, and while still known it isn't quite that popular anymore.

[vintagedave]

I see - from what you wrote and how you wrote it, I thought you were a developer. That was not clear

[Robby]

This will finally be addressed in the next release. Very soon!

[Robby]

1.5.10.3 will address this issue and a beta is out: https://beta.adium.im Please test!

Details in our blog post: https://adium.im/blog/2017/03/adium-1-5-10-3b1/