Adium is not signed with a developer certificate?

An instant messenger which can connect to AIM, GTalk, Jabber, ICQ, and more.
vintagedave
Harmless
Posts: 4
Joined: Wed Jun 15, 2016 11:05 am

Adium is not signed with a developer certificate?

Postby vintagedave » Wed Jun 15, 2016 11:14 am

I just downloaded Adium from adium.im; the page says it's version 1.5.10.2. I'm running El Capitan 10.11.5, and my security settings are to only run apps from the Mac app store and identified developers.

When launching Adium, I get the message "Adium cannot be opened because the identity of the developer cannot be confirmed", which indicates the app is not signed with a known developer certificate. Oddly enough, there is no exact match on Google for this message when referring to the Adium client. This makes me worried that this is a new issue, which implies that the download from the site is not actually an official download built by the Adium dev team. (Not trying to be alarmist here, but it's a reasonable assumption it's normally signed, since that's standard for all software including open source, and no-one's asked about it being unsigned before according to Google, which makes the current situation odd.)

Is Adium usually signed? (I assume yes, it's very unlikely such a well-known app isn't.)
If so, why is the current download not signed?

User avatar
Zorg
Muffin
Posts: 31
Joined: Fri Dec 09, 2005 4:27 pm
Location: Space.
Contact:

Re: Adium is not signed with a developer certificate?

Postby Zorg » Thu Jun 16, 2016 10:21 pm

The issue is known.

vintagedave
Harmless
Posts: 4
Joined: Wed Jun 15, 2016 11:05 am

Re: Adium is not signed with a developer certificate?

Postby vintagedave » Fri Jun 17, 2016 11:13 am

Quote from the issue:
I suspect users are going away because of the huge security warning OS X is giving them...
I know I personally wasted a bunch of time trying to track down whether the download had been compromised and what was wrong before I found this Trac ticket.

That was the most recent comment on the issue, and was from February, four months ago. I spent a lot of time trying to figure out if the download was compromised too.

Any chance on fixing this? Unsigned software's rather unprofessional these days anyway, but on OSX for a well-known app in the wake of stories like the Transmission hack, it's really not expected - particularly that it hasn't been signed for a long time and it's not a priority for the developers, which in turn raises concerns about the project's security attitude as a whole. It makes the project appear an unreliable source. With that kind of attitude, even if it was signed, what guarantees are there that users can rely on the code itself being uncompromised and reliable? You need to be able to have a level of trust in the security attitude of a project.

vintagedave
Harmless
Posts: 4
Joined: Wed Jun 15, 2016 11:05 am

Re: Adium is not signed with a developer certificate?

Postby vintagedave » Fri Jul 01, 2016 12:23 pm

Just following up here - I clicked the bug link to see if there were any comments indicating progress or that, as a security item, it had been bumped to a higher priority... and the bug tracking website's SSL certificate has expired, a week ago.

I'm not quite sure what to say here. I'm trying to communicate that security is important, especially in 2016, especially for a widely-used app. I got a four-word reply, and no reply to my followup, and then it appears the bug tracking website's certificates aren't even kept updated, a minor thing but indicative. I'm not sure what I could write here that could make the developers' attitude towards their users security sound any worse.

Any comment at all? Please?

User avatar
Zorg
Muffin
Posts: 31
Joined: Fri Dec 09, 2005 4:27 pm
Location: Space.
Contact:

Re: Adium is not signed with a developer certificate?

Postby Zorg » Fri Jul 01, 2016 11:17 pm

I, like you, am not representative of the Adium project in any way. I just happened to stumble across here.

What it looks like to me is that the team is lacking in resources, developers, or availability to properly maintain Adium, rather than them simply not caring or having a bad "attitude." It's a free project after all, and while still known it isn't quite that popular anymore.

vintagedave
Harmless
Posts: 4
Joined: Wed Jun 15, 2016 11:05 am

Re: Adium is not signed with a developer certificate?

Postby vintagedave » Mon Jul 11, 2016 10:35 am

I see - from what you wrote and how you wrote it, I thought you were a developer. That was not clear :)

User avatar
Robby
Cocoaforge Admin
Posts: 2553
Joined: Mon May 01, 2006 3:00 am
Contact:

Re: Adium is not signed with a developer certificate?

Postby Robby » Tue Mar 21, 2017 10:45 pm

This will finally be addressed in the next release. Very soon!

User avatar
Robby
Cocoaforge Admin
Posts: 2553
Joined: Mon May 01, 2006 3:00 am
Contact:

Re: Adium is not signed with a developer certificate?

Postby Robby » Mon Mar 27, 2017 11:33 am

1.5.10.3 will address this issue and a beta is out: https://beta.adium.im Please test! =-)

Details in our blog post: https://adium.im/blog/2017/03/adium-1-5-10-3b1/


Return to “Adium”

Who is online

Users browsing this forum: No registered users