Adium

Opened 15 months ago

Closed 4 weeks ago

#16983 closed defect (fixed)

Adium has v1 Code Signing Signature

Reported by: Zorg Owned by:
Milestone: Adium 1.5.10.3 Component: Adium Core
Version: 1.5.10 Severity: major
Keywords: Cc: sphynx
Patch Status:

Description

Summary

Adium is not code signed properly.

Running codesign --verify -vvv --deep /Applications/Adium.app

yields:

/Applications/Adium.app: resource envelope is obsolete (version 1 signature)

Running spctl -a -t exec -vv /Applications/Adium.app

yields:

/Applications/Adium.app: rejected
source=obsolete resource envelope
origin=Developer ID Application: Instant Messaging Freedom, Inc.

As such, Gatekeeper is also not happy with Adium so if you just download it and try to open it, it'll reject the user (unless the user opts out of Gatekeeper)

Version of Adium: 1.5.10.1

OS X: 10.11.3 (15D21)

Reproducible with older released versions of Adium too.

Change History (9)

comment:1 Changed 15 months ago by Robby

  • Cc sphynx added

comment:2 Changed 15 months ago by sphynx

  • Summary changed from Adium has Invalid Code Signing Signature to Adium has v1 Code Signing Signature

The code signature is correct, however, it is a version 1 signature which isn't trusted anymore on 10.9.5+:

https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG205

The build machine compiling Adium is still running 10.7, so it would need to be resigned on a machine with 10.9.

comment:3 Changed 15 months ago by Robby

Evan is the one with access to the build machine?

comment:4 Changed 15 months ago by dustbuster

Bump. I expect that a lot of people are going to be updating Adium with the recent Sparkle vulnerability, and v1.5.10.1 gets rejected by Gatekeeper.

comment:5 Changed 14 months ago by fcgreg

Can we get a status update please? This is a big deal... I suspect users are going away because of the huge security warning OS X is giving them when they attempt to install/run the updated/secure version of Adium.

I know I personally wasted a bunch of time trying to track down whether the download had been compromised and what was wrong before I found this Trac ticket. Thanks...

comment:6 follow-up: Changed 9 months ago by wtheaker

Is there a way to help out with this? Is newer hardware required to run 10.9? We're using autopkg to automate software deployment, and can't automatically verify applications with v1 signatures.[1]

[1]: https://github.com/autopkg/autopkg/wiki/Using-CodeSignatureVerification

comment:7 in reply to: ↑ 6 Changed 8 months ago by Robby

Replying to wtheaker:

Is there a way to help out with this? Is newer hardware required to run 10.9?

We're on it… The hardware we use supports 10.9 and has been updated to 10.11.

We're using autopkg to automate software deployment, and can't automatically verify applications with v1 signatures.[1]
[1]: https://github.com/autopkg/autopkg/wiki/Using-CodeSignatureVerification

Thanks for the suggestion.

comment:8 Changed 5 weeks ago by Robby

  • Milestone changed from Adium 1.5.11 to Adium 1.5.10.3

comment:9 Changed 4 weeks ago by Robby

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.