hedwards: If they were concerned wtih malware and whatnot, they could just post the SHA256 and MD5 checksums for the files on the site
d2t: Brilliant idea... Because average Joe that downloads app or game from a store or from a pirated source, by default goes to legal content owner website and searches for checksums before installing...
Please get real. Outside of how absurd this flow sounds, average user doesn't even know how to calculate a checksum. Average user, if a product does not work, goes to support and complains stuff doesn't work.
The EXE is already signed so Windows will complain if it's tampered with. Last I heard, the whole point of RARs over InnoSetup bundling was so they could be modified by the GOG installer devs without rebuilding the entire multi-gigabyte file set. As I understood it, as it relates to malware prevention, the password was supposed to substitute for a hash check embedded in the EXE.
However, since the RARs don't appear to contain any kind of digitally-signed manifest of expected contents or other verification mechanism based on asymmetric crypto, that means that anyone who can get the password can inject malware without the EXE signature doing anything to stop it.