I suspect this is a HMAC-SHA1 similar to what the blog author surmised. It's possibly a response to the recent fiasco where they misrouted IMs.
I think they use this signature in their backend as a last defense when routing a message to a recipient. Being meant for the backend explains why messages with corrupt signatures are accepted (the backend notices that incoming signature is bad, so it doesn't use the signature to check the message when routing).
2) I'm curious about what people who say "crytpo in the browser/JS is bad" think about this. This seems to be a pretty good application of crypto to achieve a very narrow goal.
It is possible this is to stop misrouted messages, however, they didn't add it in response to the recent problems. There are some Google hits from 2007-2008 where the field was present, for example https://developer.pidgin.im/ticket/3360#comment:15. Before ~2009-2010 the field seems to have been 8 hex encoded bytes (half a MD5 hash?), after that they switched to the base64 format.
I think they use this signature in their backend as a last defense when routing a message to a recipient. Being meant for the backend explains why messages with corrupt signatures are accepted (the backend notices that incoming signature is bad, so it doesn't use the signature to check the message when routing).
2) I'm curious about what people who say "crytpo in the browser/JS is bad" think about this. This seems to be a pretty good application of crypto to achieve a very narrow goal.