Bug 428062

Older pre 1.8 versions of kdiff3 are indeed unsigned. They are also several years old and pre-date both Apple's default signing requirements and my own mantianership. Current releases found at https://download.kde.org/stable/kdiff3/ are indeed signed. However if you are using default configuration apple's systems may reject anything not downloaded from the App Store. This however should raise a different message.

I found the precise reason for the issue I believe.  Inspecting the DMG yields "Unnotarized Developer ID"

codesign --verify --verbose ~/Downloads/kdiff3-1.8.4-macos-64.dmg
/Users/mbidewel/Downloads/kdiff3-1.8.4-macos-64.dmg: valid on disk
/Users/mbidewel/Downloads/kdiff3-1.8.4-macos-64.dmg: satisfies its Designated Requirement

spctl --assess --verbose ~/Downloads/kdiff3-1.8.4-macos-64.dmg
/Users/mbidewel/Downloads/kdiff3-1.8.4-macos-64.dmg: rejected
source=Unnotarized Developer ID

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

I don't know when this will change as I don't have a developer account with apple and therefor cannot use their notarization service. In fact I don't even have a 64-bit OS X system. The MacOS X binaries are generated by automation at binary-factory.kde.org. Control clicking/right-clicking kdiff3 and selecting open should by pass the notarization check and rely on the application signature alone. Unfortunately this does not change the fact that kdiff3 isn't going through Apple's security checks. It will however remove this warning for kdiff3.

Thanks, just got a chance to try the ctrl+click.  That does bypass the check.  Thanks for the work-around!