It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
GOG recently switched to a new format for their Windows installers, using RAR password-encrypted archives.
If you don’t know about it yet, please read the opening post of this thread before going further:
https://www.gog.com/forum/general/on_gnulinux_has_anyone_be_able_to_extract_the_rar_innosetup_installers

This thread is not the place to discuss about wether or not it is a good/bad practice, and wether or not it should be continued/discontinued. For this, the previous link is where the discussion is already going on.

I open this second thread so interested people can discuss on *technical* improvement/alternatives on this method.
Here is the place to share you method for extracting these installers, suggesting improvements or alternatives, and a place where I hope GOG technical staff will be able to discuss on a technical-only standpoint *without* having to justify the new installers format in any way.

Please stay courteous, and keep the heated posts and political stuff in the other thread.
Let's reiterate concerns voiced by Gowor first:

Hello,

-Rars are used for convenience, as they have some features that the old archives lack. For example when making a test build of the game, it's faster for us to update the archives than to repack them from scratch when making small changes for testers.

-Watermarking the installers with username is not planned. One, for ideological reasons, two it's not really technologically feasible.

-Yes, the archives are password-protected. Here's why:

The supported way of installing the games is by using the Installer, which apart from unpacking the files, also creates registry entries, shortcuts, compatibility fixes etc. We want to avoid having the situation, when user will see a unprotected rar file, download and unpack it, and get a "broken" installation, because he didn't use the installer.
There were situations, when users would download just a single part of the installer, or try to unrar it manually (because apparently some browsers detect our new archives as rar files), or even try to open the .bin files with the VLC Video Player.
In such a situation I think it's better to give immediate "it won't work that way" message, rather than allow someone to make a "partial" installation, which may or may not work, without any information.

Another reason - I want to avoid the situation where someone tampers with the archives (let's say adding malware, or some illegal content), and uploads the modified version on torrents. I don't want the GOG Installer installing anything else than it was supposed to, and it doesn't matter how it was obtained.

The Installer is designed mostly for reliability and ease of use for any user. And it's intentionally designed as it is.

Mind you - if you are using the supported installation mode, you don't have to enter the password anywhere. Nor is it in any way dependent on username, or hardware, or anything else. It's more or less hardcoded into the installer (I see you guys already figured out how), as much as the decompression algorithm. You can still use the installer exactly as you could since the beginning of GOG, and install your games wherever, whenever, and however many times you want. It doesn't detect where was it downloaded from either. That hasn't changed at all.

We don't really support installing the game by manually unpacking the archives (for whatever reason you do that). On the other hand, I see you already figured out the algorithm for obtaining the password, so you are still able to do as much. I'm not going to say "Hey, good job hacking into our software guys!", but I'm not going to try and make the password harder either.
Some proposals to address those concerns better:

- instead of RAR they can use 7z (LZMA2) non solid archive quite easily. No need to resort to non free formats.
- To avoid browsers or applications like VLC associating with GOG files they can use different unique extension as well as server side prevention of MIME sniffing.
- To avoid tampering with the archive some other methods can be used without resorting to password locked RARs (based on hashsums or checking the signature of the package in the installer and so on).
Post edited December 31, 2014 by shmerl
avatar
shmerl: Some proposals to address those concerns better:

- instead of RAR they can use 7z (LZMA2) non solid archive quite easily. No need to resort to non free formats.
- To avoid browsers or applications like VLC associating with GOG files they can use different unique extension as well as server side prevention of MIME sniffing.
- To avoid tampering with the archive some other methods can be used without resorting to password locked RARs (based on hashsums or checking the signature of the package in the installer and so on).
There is plenty of "solutions" but the things to remember is that implementing them will takes times and GoG staff probably has a lot of more important things on their plate with Galaxy and the rest.

So you have to remain realistic they won't probably have that much time/resources to allocate to rethink/redevelop whole new installers especially given that the current ones work fine for the intended users.

So for example why switch from RAR to 7z ? The fact that one is free and the other is not is a total non issue, it's GoG who pay the license cost, if they are more experienced with the RAR API or consider it is better, it's there choice there is nothing wrong with that.

Personally I think that now that the "password algorithm" is know, wouldn't the easiest way be to simply display the game ID somewhere on the game page ? So peoples could simply get this ID, put it into any MD5 hash generator and as a result obtain the password needed to extract their games should they want to.

For GoG it would require minimum modification and peoples would be able to easily obtain the password without having to use some third party script.
Post edited December 31, 2014 by Gersen
avatar
Gersen: There is plenty of "solutions" but the things to remember is that implementing them will takes times and GoG staff probably has a lot of more important things on their plate with Galaxy and the rest.
Please refrain from non technical discussion in this thread. Either present your proposal from that plenty or don't post here please. For non technical discussion there is another thread. This thread was created with limited focus.
Post edited December 31, 2014 by shmerl
avatar
shmerl: Please refrain from non technical discussion in this thread. Either present your proposal from that plenty or don't post here please. For non technical discussion there is another thread. This thread was created with limited focus.
If you had read the next phrase it was there to point out that IMO propositions would have to remain as "realistic" and "simplistic" as possible if you want to expect GoG to consider them. (i.e. asking them to change from RAR to 7z even thought it doesn't really improve anything)

And I did post my proposal.
Simply give them some time. Look, we saw how the "bad regional pricement" stuff was successfully changed to the "most fair regional pricement right now". We saw how a company that said "nope, we can´t give linux support" ended up giving LinuxSupport! And so on...
...GOG evolves with our constructive criticism. So: Do NEVER become irrational, but stay critical! That´s the best help we can give to the GOG-team!
Oh, and don´t forget throwing in money. They need it, they don´t know which turns were good and which weren´t otherwise! Oh, and they couldn´t get paid, which would be critical!
is there a reason why its the linux guys who are the ones concerned about this change?
avatar
Gersen: So you have to remain realistic they won't probably have that much time/resources to allocate to rethink/redevelop whole new installers especially given that the current ones work fine for the intended users.
This is not us who should be discussing this, it’s GOG employees work. Let’s focus on ideas, and let the "doability" part in GOG’s hands ;)
avatar
Gersen: So for example why switch from RAR to 7z ? The fact that one is free and the other is not is a total non issue, it's GoG who pay the license cost, if they are more experienced with the RAR API or consider it is better, it's there choice there is nothing wrong with that.
An interesting point. I see no problem at all with GOG using whatever format they want during internal work. But I have a strong biased towards open formats for the redistribution part, allowing for greater flexibility for those who wants to tinker with the installers one way or another.
avatar
Gersen: Personally I think that now that the "password algorithm" is know, wouldn't the easiest way be to simply display the game ID somewhere on the game page ? So peoples could simply get this ID, put it into any MD5 hash generator and as a result obtain the password needed to extract their games should they want to.
In that case, what are the differences between a well-known password and no password at all?
avatar
Niggles: is there a reason why its the linux guys who are the ones concerned about this change?
Let's transfer this topic to the other thread, I answered your question there. This thread is limited to discussion of technical solutions and proposals for this issue.
Post edited December 31, 2014 by shmerl
avatar
RadonGOG: (…)
avatar
Niggles: (…)
Wrong thread guys ;)
Sorry if I sound a bit rude, but I would like to keep this place free from the polemic which is going on the other thread. Just follow the link in the opening post to be redirected to it.
Ask your questions there and I’ll be happy to answer them, but please don’t bring the polemic in this place.

Here we do not discuss the "why?", but only the "how?".
Post edited December 31, 2014 by vv221
avatar
Gersen: So for example why switch from RAR to 7z ? The fact that one is free and the other is not is a total non issue, it's GoG who pay the license cost, if they are more experienced with the RAR API or consider it is better, it's there choice there is nothing wrong with that.
avatar
vv221: An interesting point. I see no problem at all with GOG using whatever format they want during internal work. But I have a strong biased towards open formats for the redistribution part, allowing for greater flexibility for those who wants to tinker with the installers one way or another.
Yes, that's important. Using interoperable free formats is a good practice. And choosing non free one when there is especially no practical benefit is pointless. However that's a minor issue in this scope. Since at least with rar there are free decompressors (unrar).
Post edited December 31, 2014 by shmerl
avatar
vv221: In that case, what are the differences between a well-known password and no password at all?
It won't require any changes on the installer part from GoG, only minor website changes, and it will still prevent "dumb" users from accidentally extracting the files and ending up with a non working installation. On the other side it allows more "advanced" used from easily obtaining the password if they want to.
avatar
vv221: In that case, what are the differences between a well-known password and no password at all?
avatar
Gersen: It won't require any changes on the installer part from GoG, only minor website changes, and it will still prevent "dumb" users from accidentally extracting the files and ending up with a non working installation. On the other side it allows more "advanced" used from easily obtaining the password if they want to.
There was a proposal which already addressed this and doesn't require much changes. I.e. change the extension and change the server configuration to prevent MIME sniffing. Pretty trivial changes. What is your point exactly by the way? To convince everyone that GOG doesn't need to change anything? That's not productive, so please don't do it. Better propose something that wasn't proposed yet if you have more ideas.
Post edited December 31, 2014 by shmerl
avatar
vv221: In that case, what are the differences between a well-known password and no password at all?
avatar
Gersen: It won't require any changes on the installer part from GoG, only minor website changes, and it will still prevent "dumb" users from accidentally extracting the files and ending up with a non working installation. On the other side it allows more "advanced" used from easily obtaining the password if they want to.
Okay, so you see no problem in keeping the password *if* we assume we’re going for as minimal as possible modifications to the current packages? With this premise, I of course concur with you. This or a easily accessible database listing all the passwords for installers using one.

But both of these suggestions (yours and mine) depend on an Internet access. I think something like a text file with the password and instructions (extracted from the .exe and not the .bin of course) would be better. The protection would still be effective, as "dumb" users are known for not reading text files, while not depending on an Internet access at the time of extracting.
avatar
shmerl: Yes, that's important. Using interoperable free formats is a good practice. And choosing non free one when there is especially no practical benefit is pointless.
It's only a good practice if you have any real need for interoperability, which is not GoG case, if not then the good practice is to chose the format that best suit you needs development, features and cost wise.

avatar
shmerl: There was a proposal which already addressed this and doesn't require much changes. I.e. change the extension and change the server configuration to prevent MIME sniffing. Pretty trivial changes.
It's not trivial as it requires them to create new installers, test/debug them, then change all the currently existing ones, etc.. compare that to simply adding a new label of a web page

avatar
shmerl: What is your point exactly by the way? To convince everyone that GOG doesn't need to change anything? That's not productive, so please don't do it. Better propose something that wasn't proposed yet if you have more ideas.
The point of this thread is to offer/discuss potential technical solution which is what I did, if you want to discuss something else you should use the other thread.
avatar
vv221: But both of these suggestions (yours and mine) depend on an Internet access. I think something like a text file with the password and instructions (extracted from the .exe and not the .bin of course) would be better. The protection would still be effective, as "dumb" users are known for not reading text files, while not depending on an Internet access at the time of extracting.
It's very easy for users to create a text file containing the password and store it with the installer themselves. They need the Internet access to download the file, they can easily create this text file while the game itself it downloading.
Post edited December 31, 2014 by Gersen