Did Zotero go from signed to unsigned code recently?

My firewall today started complaining about Zotero missing a code signature.
Was Zotero previously signed, and now it's not? Obviously it has security implications for me if zotero was modified without my knowledge. I manually downloaded 5.0.31 from the website and the error persisted.

Error from my firewall (LittleSnitch on OSX 10.12.6) is below.



Rules exist for other connections of “Zotero” that require a valid code signature by Corporation for Digital Scholarship, US (8LAYR367YV), but the process has no valid code signature. This could mean that the application was possibly maliciously modified.

To allow this connection anyway, you can create a new rule for “Zotero” that ignores any code signature. This new rule would be less secure, though, and all existing rules for “Zotero” would also be modified to ignore any code signature.
  • Sorry, 5.0.31 was indeed unsigned by mistake. We made a change to the default build settings to make things easier for third-party developers and accidentally used those defaults when pushing out 5.0.31. We've pulled the 5.0.31 files and pushed out a 5.0.32 with a proper code signature, and we'll add some additional safeguards to prevent an unsigned build from being distributed in the future. Thanks for reporting this.
  • Wow! Thanks for the rapid fix @dstillman, especially on a weekend!
Sign In or Register to comment.