Why isn't AuKey signing its software downloads?

Hi I recently purchased and downloaded from the AuKey website the software driver for an AuKey GM-F3 Gaming mouse. Windows 10 complains that the software hasn’t been signed and should not be trusted. I therefore aborted the installation.

Why isn’t AuKey signing its software downloads?

Thanks

AuKey-GM-F3-Unknown-Publisher

Hi @Jean-Claude

I understand you’re concerned with this. The software, if downloaded from our website, is safe to use.

I have asked my colleagues why we aren’t ‘signing’ it - as this should be done to ensure people like you aren’t worried about using the software. :pray:

Hi,

While I appreciate the presumption that if downloaded from the official website it’s presumably “safe”, given how easy it is to alter a binary with malware, there’s honestly ZERO excuse these days to not sign executables to attest to the fact that the executable hasn’t been tampered with.

It begs the question why Aukey isn’t doing this? It honestly can’t be to save costs.

Thanks,
Jean-Claude

Absolutely. I do agree - and unfortunately, I have zero control over that process. I’ve pushed this through to the right people and I hope that we’ll see something change :pray:

Perhaps in the alternative, they could at least publish on their website the download file SHA1, SHA256, or MD5 checksums that one can confirm using a Windows command line utility like CertUtil or FCIV? That way one can verify for themselves that a file hasn’t been tampered with after being published on their website.

Thanks,
Jean-Claude

I’ve asked the person responsible for this - so please bare with me. :pray: pray

Here are the file signatures for the GM-F3 Game Mouse driver downloaded from the AuKey website, as computed using CertUtil for MD5, SHA1 and SHA256:

09/23/2020 05:11 PM 3,787,264 AUKEY GM-F3 Gaming Mouse.exe

D:\AuKey Mouse>certutil -hashfile “aukey gm-f3 gaming mouse.exe” SHA256
SHA256 hash of aukey gm-f3 gaming mouse.exe:
b95985f48ebc3dc3e47b1bf5f46bbb428c8090c3e14f053818a874a8cd4cc663 <<<< SHA256 File Signature
CertUtil: -hashfile command completed successfully.

D:\AuKey Mouse>certutil -hashfile “aukey gm-f3 gaming mouse.exe” SHA1
SHA1 hash of aukey gm-f3 gaming mouse.exe:
869e9ed5c2473995b2233a0867f75bee2d362549 <<<< SHA1 File Signature
CertUtil: -hashfile command completed successfully.

D:\AuKey Mouse>certutil -hashfile “aukey gm-f3 gaming mouse.exe” MD5
MD5 hash of aukey gm-f3 gaming mouse.exe:
e813105e5f35d31ff647c835f3787d1c <<<< MD5 File Signature
CertUtil: -hashfile command completed successfully.

If the AuKey devs can’t sign their code releases, then in the alternative they should at least publish either an MD5, SHA1 or SHA256 signature for every downloadable executable on the website, as this would be very helpful to confirm that their executables haven’t been tampered with.

Thanks,
Jean-Claude

1 Like

I’ve shared this with the team - thanks! Appreciate it

Here’s the response I received from service@supportus.aukey.com regarding the fact that the AuKey devs don’t sign their code. It’s absolutely absurd. Clearly no one inside Aukey either cares or worse yet doesn’t understand the significant cybersecurity implications caused by the fact the company doesn’t sign their code. For a computer products company, this is irresponsible…


Hi Jean-Claude,

We’re very sorry for that.

According to the problem you encountered, we asked the relevant technical staff for you. It doesn’t matter, you can continue to download, this software will not affect your computer.

If you have any questions, please feel free to contact us.

Thanks again for your understanding.

Regards,

Sue

AUKEY Customer Service Team

Hi @Jean-Claude

I had passed this on and the techs were supposed to work on a solution - I guess this is their ‘temporary’ answer. :frowning:

Wish I had more that I could add to this - I know it’s a disappointment, not only for you but for others.

I’ll do my best to see what I can do internally to push this through as I 100% agree on the cybersecurity issues.