Verifying Adium Releases

After you've downloaded Adium, it can be a good idea to make sure you have downloaded the real Adium. While we have no reports of anyone distributing Adium with malicious changes (e.g., backdoors), it is better to be safe than sorry.

Starting from Adium 1.5.9, our releases are signed using GPG.

Import our key

To verify our releases, you first need to import our public key. This step only needs to be done once.

  1. Download and install GPG tools from
  2. Download DA9316A3.asc, which is our public key.
  3. Launch "GPG Keychain Access", in the "File" menu, choose "Import..." and select the DA9316A3.asc file.

Check a signature

  1. If you have not yet done this, download Adium 1.5.9.
  2. Download Adium_1.5.9.dmg.asc.
  3. Make sure both files are in the same directory (e.g., your Downloads folder).
  4. Right click on the Adium_1.5.9.dmg.asc file, go to "Services" and select "OpenPGP: Validate".
  5. When the signature matches, you should now see a window saying "Adium_1.5.9.dmg Signed by: The Adium Team (Key used to sign official Adium releases.) <feedback@…>".
  6. If the window says anything else instead, then something is wrong with your copy of Adium. We recommend you do not open this copy and you should contact us at feedback@….

What about auto-updates?

When Adium prompts you to automatically install an update, it will verify a DSA signature of the new copy it downloaded. If the signature does not match, or is missing, the install is canceled. You don't need to take any extra steps to make sure you get an official copy.

Attachments (2)

Download all attachments as: .zip

Page last modified by Frank, 7 years ago