That's not true. As I've explained multiple times, digital signatures allow everyone to be happy.

That's how the old installers work. Windows verifies the signature on the installer and the installer contains hashes to verify that the data hasn't been tampered with.

You can unpack the old installers... you can even change them if you're a l33t enough hax0r... you just can't change them AND have Windows continue to say "This installer is signed by GOG and hasn't been tampered with".

The new installers were supposed to allow them to quickly edit the installer without having to rebuild the entire multi-gigabyte set... but we can also do that now that we know how to generate the password. (That's the problem with symmetric crypto. The key you use to sign/encrypt is the same one you use to verify/decrypt.)

The proper way to do it using RAR while also keeping the ability to rapidly edit things is to have the RAR file contain a digitially signed "manifest of expected contents". Then, it would work like this:

1. The EXE would contain a key (good for verifying but not signing, because it's asymmetric crypto)
2. Windows would verify that the EXE hasn't been tampered with.
3. The EXE would read the signed manifest from the RAR file and use its key to verify that it hasn't been tampered with.
4. The EXE would use the now known-to-be-good manifest to verify that the RAR contains only what it should.

No encryption would be needed. You'd be able to extract files to your heart's content but, if you tamper with the archive, then the GOG installer can detect it and, if you tamper with the GOG installer to prevent that, then Windows's signature check will detect it.

(The trick that makes it work is to store the manifest in the RAR but sign it. That way, the manifest can always be verified to be genuine using the key stored within the signed EXE but, because it's stored in the RAR and it's just a tiny little table of contents, it would take essentially no extra time for the GOG build tooling to update it along with whatever changes they added to the RAR.)

The only way digital signatures can be used for evil in this kind of setup is if Microsoft decided to follow the iPhone's lead and say "From now on, Windows will only run EXEs where the signatures verify that we've approved them" ...and even if that wouldn't be suicide for Microsoft, it'd still be outside GOG's control.)

Looking forward to GOGs response in this matter :)

Can i download gog games from someplace else than gog (malware free)?
I don't understand

Read this, it'll help you understand.

As the topic of password protected archives included inside some of our Windows game installers sparked some heated discussions, we’d like to address some misunderstandings around this topic and let you know that changes will be made.

Password protection appeared in selected multi-part Windows installers, about 30 games from our catalogue that had large install files, over 6 months ago. We implemented it for various other reasons as well, many of which have been mentioned in previous posts. One of them was streamlining installation for the less tech-savvy users to avoid the issue of “broken” games after not using the installer to install them (you more proficient tinkerers have proven that it was a trivial barrier against the more advanced users).

We’ve heard your concerns regarding this solution and we do agree it could have been better. Although the same could probably be said about many other answers to this problem, it doesn’t mean we shouldn’t try to do better for our community. To that end we will be removing the mentioned archive protection from the select Windows installers that had it until a better solution, both technically and philosophically, is ready. Please continue sharing your suggestions regarding such a solution in this topic - your feedback is very appreciated.

On a side note, we’d also like to invite Captain Obvious here for a moment to remind that GOG offers and supports games compatible with specific operating systems and prepared to be installed on a given system using our included installer for a reason. This is, from the very first day, our way of offering a hassle-free, user-friendly and welcoming experience for millions of our users, no matter what their technical skill level may be.

That is why we cannot guarantee that our installers will never change and will forever remain compatible with each of such unsupported tools. However, it never was and our goal to purposely break compatibility with some third-party extraction tools or emulators used by some of our customers - and, rest assured, it never will be.

GOG.com Team

**claps happily**
...
**empties wallet on games**


Thank you GOG!

Thank you very much for the nice decision. My idea about about a better solution would be:
- use checksums during download and during installations to check for integrity (you probably already do)
- from time to time show a noticable warning in the downloader/Galaxy client saying that there is not support for anything other than execution of the installer
- train support stuff especially to detect the usage of tampered isntallers and explain that GOG does not support tampered installers

That might be enough.
I do not know. But I also would not mind if torrented software would be full of malware. This might even show people the benefit of downloading from GOG.

Thanks GOG, appreciated.

I'd like to suggest to sticky this at the top of each page in this thread for more visibility.

Thank you GOG for listening to our concerns. As a penguin (Linux user) and someone who also plays some of the old games I purchase under the Android OS I was concerned about the new installers, the reason I started buying more from GOG was your consumer friendly policies which made it easy to run the games I purchase in my preferred manner, and I'm glad to see you guys want to continue down that path. I don't want to ever go back to that MS OS, Windows makes me grumpy.

Thanks again GOG, we do appreciate it! :)

Good to hear. I shall resume my slow but steady march toward owning 100% of the GOG catalog.

The fact this is "high rated" makes me think this is really good news. I hope you'll share this outside this post or at least "sticky" this post at the top of the thread.

That was the right choice, thanks GOG staff for listening.

Well, I'm sure this is a load of more than a few minds. Thanks GOG!

Yes! That is the GOG.com I learned to love.

Thank you very much :).

*Buying a huge amount of games...*

Phew.

Now I can continue migrating from Steam to GOG.