Posted January 07, 2015
That's not true. As I've explained multiple times, digital signatures allow everyone to be happy.
Trilarion: GOG is a bit unlucky here. If you claim that you want to protect GOG customers of people who can insert malware (which anyway can never happen to a customer who only downloads from GOG ;) ) then you cannot also say that you won't make it harder. A lock that is not the hardest possible lock is next to useless and should rather be abolished. The neither one thing nor the other situation is a bit unsatisfying.
That's how the old installers work. Windows verifies the signature on the installer and the installer contains hashes to verify that the data hasn't been tampered with.
You can unpack the old installers... you can even change them if you're a l33t enough hax0r... you just can't change them AND have Windows continue to say "This installer is signed by GOG and hasn't been tampered with".
The new installers were supposed to allow them to quickly edit the installer without having to rebuild the entire multi-gigabyte set... but we can also do that now that we know how to generate the password. (That's the problem with symmetric crypto. The key you use to sign/encrypt is the same one you use to verify/decrypt.)
The proper way to do it using RAR while also keeping the ability to rapidly edit things is to have the RAR file contain a digitially signed "manifest of expected contents". Then, it would work like this:
1. The EXE would contain a key (good for verifying but not signing, because it's asymmetric crypto)
2. Windows would verify that the EXE hasn't been tampered with.
3. The EXE would read the signed manifest from the RAR file and use its key to verify that it hasn't been tampered with.
4. The EXE would use the now known-to-be-good manifest to verify that the RAR contains only what it should.
No encryption would be needed. You'd be able to extract files to your heart's content but, if you tamper with the archive, then the GOG installer can detect it and, if you tamper with the GOG installer to prevent that, then Windows's signature check will detect it.
(The trick that makes it work is to store the manifest in the RAR but sign it. That way, the manifest can always be verified to be genuine using the key stored within the signed EXE but, because it's stored in the RAR and it's just a tiny little table of contents, it would take essentially no extra time for the GOG build tooling to update it along with whatever changes they added to the RAR.)
The only way digital signatures can be used for evil in this kind of setup is if Microsoft decided to follow the iPhone's lead and say "From now on, Windows will only run EXEs where the signatures verify that we've approved them" ...and even if that wouldn't be suicide for Microsoft, it'd still be outside GOG's control.)
Post edited January 07, 2015 by ssokolow