It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
I just downloaded some offline installers (Broforce and Unreal Lust Theory early access) and when launching the installer it asks if I want this app from an unknown publisher to make changes to my device.

It's supposed to ask if I want this app from verified publisher GOG sp. z o.o to make changes to my device.

This has me concerned, do I have a virus or are my installers corrupted or something?
avatar
W3irdN3rd: I just downloaded some offline installers (Broforce and Unreal Lust Theory early access) and when launching the installer it asks if I want this app from an unknown publisher to make changes to my device.

It's supposed to ask if I want this app from verified publisher GOG sp. z o.o to make changes to my device.

This has me concerned, do I have a virus or are my installers corrupted or something?
I have never seen installers from GOG that were not signed by GOG. I don't have Lust Theory but I have just checked the latest Broforce installer and the signature is as it should be. See attaches.
Attachments:
avatar
W3irdN3rd: This has me concerned, do I have a virus or are my installers corrupted or something?
Maybe try running "sfc /scannow" at an administrator cmd prompt & reboot.
avatar
W3irdN3rd: and when launching the installer it asks if I want this app from an unknown publisher to make changes to my device.

It's supposed to ask if I want this app from verified publisher GOG sp. z o.o to make changes to my device.

This has me concerned, do I have a virus or are my installers corrupted or something?
I doubt it. It only wants permissions so it can install dependencies and access the registry for the entries that need that.

As for the unknown publisher part, not sure. Was this on a machine unable to access the internet? (or have firewall settings to block) I can only think maybe something was trying to ping and check against a public key vs everything locally.

Going to properties on Syberia i see a digital signature. To note i also see GoG Limited as another name in some of my installers.
Attachments:
syberia.png (16 Kb)
avatar
W3irdN3rd: I just downloaded some offline installers (Broforce and Unreal Lust Theory early access) and when launching the installer it asks if I want this app from an unknown publisher to make changes to my device.

It's supposed to ask if I want this app from verified publisher GOG sp. z o.o to make changes to my device.

This has me concerned, do I have a virus or are my installers corrupted or something?
avatar
Geralt_of_Rivia: I have never seen installers from GOG that were not signed by GOG. I don't have Lust Theory but I have just checked the latest Broforce installer and the signature is as it should be. See attaches.
I just checked against an older Broforce installer and found the older installer (from 2023) used SHA1 digest algorithm while the new installer uses sha256. The 2023 installer was signed by "DigiCert Timestamp 2023" and the new installer by "Sectigo RSA Time Stamping Signer #4". For the new installer it says "The certificate in the signature cannot be verified".
avatar
rtcvb32: As for the unknown publisher part, not sure. Was this on a machine unable to access the internet? (or have firewall settings to block) I can only think maybe something was trying to ping and check against a public key vs everything locally.
Yes, I try to keep Windows offline.

Somehow it managed to access the internet last time I booted it, because it installed a UEFI update, then the screen went black (but backlight remained on) and after 2 minutes I decided it had crashed. Rebooted, and it took like half a minute for anything to appear on screen. I feared the update had bricked my laptop. When it did come back to life, Windows destroyed my bootloader again. Bye bye multiboot. Hopefully the partitions are still intact.

This is exactly why I had revoked Windows' internet privileges. Some update might be required to verify the signatures of the new installers, I'll have to look into that.
Attachments:
Post edited April 12, 2024 by W3irdN3rd
avatar
rtcvb32: As for the unknown publisher part, not sure. Was this on a machine unable to access the internet? (or have firewall settings to block) I can only think maybe something was trying to ping and check against a public key vs everything locally.
avatar
W3irdN3rd: Yes, I try to keep Windows offline.

Somehow it managed to access the internet last time I booted it, because it installed a UEFI update, then the screen went black (but backlight remained on) and after 2 minutes I decided it had crashed. Rebooted, and it took like half a minute for anything to appear on screen. I feared the update had bricked my laptop. When it did come back to life, Windows destroyed my bootloader again. Bye bye multiboot. Hopefully the partitions are still intact.

This is exactly why I had revoked Windows' internet privileges. Some update might be required to verify the signatures of the new installers, I'll have to look into that.
Mhmm. I would forcibly turn off and remove update. But if you can't manage securing it down, then yeah keeping it offline is the next best thing.

I'm sure the partitions are fine, though you might boot a liveCD to check, or to set back up the multiboot options.

So i'd guess based on your snapshot you see the certificate, but it probably couldn't be verified to be the same one.

As long as the MD5 sums match i call that close enough.
avatar
rtcvb32: As long as the MD5 sums match i call that close enough.
Please don't rely on md5 for security. It's not safe.
avatar
rtcvb32: As long as the MD5 sums match i call that close enough.
avatar
mk47at: Please don't rely on md5 for security. It's not safe.
I would think md5 is enough to check if something is not corrupted, but not for checking if it is not tampered with.
Post edited April 12, 2024 by timppu
avatar
Geralt_of_Rivia: I have never seen installers from GOG that were not signed by GOG. I don't have Lust Theory but I have just checked the latest Broforce installer and the signature is as it should be. See attaches.
avatar
W3irdN3rd: I just checked against an older Broforce installer and found the older installer (from 2023) used SHA1 digest algorithm while the new installer uses sha256. The 2023 installer was signed by "DigiCert Timestamp 2023" and the new installer by "Sectigo RSA Time Stamping Signer #4". For the new installer it says "The certificate in the signature cannot be verified".
Yes, that is correct. GOG started using a new certificate a few months back.
avatar
rtcvb32: As for the unknown publisher part, not sure. Was this on a machine unable to access the internet? (or have firewall settings to block) I can only think maybe something was trying to ping and check against a public key vs everything locally.
avatar
W3irdN3rd: Yes, I try to keep Windows offline.
And that is the reason why the signature does not verify. You are missing one of the certificates in the certificate chain. Windows downloads missing certificates automatically but if it can't do that the signature will not verify.
For anyone else who wishes to keep their Windows offline, here's how I solved it:

Go to https://www.digicert.com/kb/digicert-root-certificates.htm and download the DER/CRT file for "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1". Transfer the file to your Windows machine. (USB stick, CD/DVD-R(W), IPoAC LAN FTP, null modem cable, encode as base64 and type it in, etc..)

Double click and follow instructions. This is specifically the certificate GOG installers use, so for other sources you may need different certificates. For my personal use case, this'll do.

Oddly, the instructions from https://woshub.com/updating-trusted-root-certificates-in-windows-10/ to install the files from https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-trust (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) didn't help for me.
avatar
mk47at: Please don't rely on md5 for security. It's not safe.
avatar
timppu: I would think md5 is enough to check if something is not corrupted, but not for checking if it is not tampered with.
md5 (or even crc32) is fine to rule out accidental corruption, but shouldn't be relied upon for intentional tampering. (like a virus that infects other executable files)

But I'm used to seeing a certificate with GOG installers, so not seeing it made me wonder if it had been tampered with somehow.
Post edited April 12, 2024 by W3irdN3rd
avatar
W3irdN3rd: I just checked against an older Broforce installer and found the older installer (from 2023) used SHA1 digest algorithm while the new installer uses sha256. The 2023 installer was signed by "DigiCert Timestamp 2023" and the new installer by "Sectigo RSA Time Stamping Signer #4". For the new installer it says "The certificate in the signature cannot be verified".
avatar
Geralt_of_Rivia: Yes, that is correct. GOG started using a new certificate a few months back.
avatar
W3irdN3rd: Yes, I try to keep Windows offline.
avatar
Geralt_of_Rivia: And that is the reason why the signature does not verify. You are missing one of the certificates in the certificate chain. Windows downloads missing certificates automatically but if it can't do that the signature will not verify.
Oddly, I don't recall running into this issue ever before. For sh*ts-and-giggles, I just checked on a Windows 7 SP1 machine, totally unpatched. That's from 2011. Broforce 2023 installer: fine! Broforce 2024 installer: NOPE!
avatar
mk47at: Please don't rely on md5 for security. It's not safe.
avatar
timppu: I would think md5 is enough to check if something is not corrupted, but not for checking if it is not tampered with.
Considering the installers are compressed, getting the MD5 to match, and be tampered with, and tamper with executable code vs say images or map data, as well as still be a valid bitstream (as not to barf during install) seems a bit low. Though you could always have two or three different hashes, you can't make them all work.

Couple years ago i wrote a bash script to find duplicate files; this script heavily relies on md5. I figure, if the hashes don't match, it can't possibly be similar files. If they do match, there's a 99% or higher they are identical, so before it does the full delete & link or make a restore script, it does a full byte-by-byte compare just to make sure first. Works pretty darn well too.

In general md5 is sufficient unless you need to be extra paranoid.
avatar
W3irdN3rd: W3irdN3rd: Yes, I try to keep Windows offline.
avatar
Geralt_of_Rivia: And that is the reason why the signature does not verify. You are missing one of the certificates in the certificate chain. Windows downloads missing certificates automatically but if it can't do that the signature will not verify.
In theory anyone can make a new certificate and just sign it themselves and slap it on something. But with public key encryption, you should be able to verify the public key (since it should be public and published somewhere) is indeed genuine. Fully offline can't verify that step, so yeah i'd expect a 'unknown' or 'unverified' publisher.
avatar
mk47at: Please don't rely on md5 for security. It's not safe.
Please explain why?

All MD5 checking does, is make sure the file downloaded without interference or it matches what is on a GOG server.

If it was already corrupted on a GOG server, not much you can do about that, and who can really tell you for sure? At best you can throw a small enough file at VirusTotal and go by the majority result. But really, virus scanners make mistakes all the time, many of them being over-zealous.
avatar
W3irdN3rd: md5 (or even crc32) is fine to rule out accidental corruption, but shouldn't be relied upon for intentional tampering. (like a virus that infects other executable files)
I'd like to see that ... or even hear about it being possible.

Infecting a file is going to change its MD5 value, no doubt about that. Maybe if you had a ton of code and a super computer you might be able to tamper and not have it change the MD5, but even then I seriously doubt it. And of course some small virus on your PC or GOG's sever is never going to be able to do that.
Post edited April 12, 2024 by Timboli
avatar
W3irdN3rd: For anyone else who wishes to keep their Windows offline, here's how I solved it:

Go to https://www.digicert.com/kb/digicert-root-certificates.htm and download the DER/CRT file for "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1". Transfer the file to your Windows machine. (USB stick, CD/DVD-R(W), IPoAC LAN FTP, null modem cable, encode as base64 and type it in, etc..)

Double click and follow instructions. This is specifically the certificate GOG installers use, so for other sources you may need different certificates. For my personal use case, this'll do.
Thank you. It worked. *thumbs up*
I hadn't even noticed yet that the newest GOG installers and updates don't validate anymore...
Post edited April 12, 2024 by g2222
avatar
Timboli: (…)
Infecting a file is going to change its MD5 value, no doubt about that. Maybe if you had a ton of code and a super computer you might be able to tamper and not have it change the MD5, but even then I seriously doubt it. And of course some small virus on your PC or GOG's sever is never going to be able to do that.
It is too easy to find a collision. MD5 hasn't been secure enough for many years. There are enough research papers around that show that.

And for md5 it has been a huge issue even before this much computing power was cheaply available through one of the cloud services.