It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Timboli: Infecting a file is going to change its MD5 value, no doubt about that. Maybe if you had a ton of code and a super computer you might be able to tamper and not have it change the MD5, but even then I seriously doubt it. And of course some small virus on your PC or GOG's sever is never going to be able to do that.
You'd have to change a number of bytes including the payload to keep it the same size, or add to the size. But as there's internal hash checking (where the Galaxy installer type files) where every file is named... after their hash code, it's easy to verify the files are in fact untouched before rebuilding the final result.

There may be better hashes out there, but as i said, MD5 should be sufficient... Now if you were updating core OS files, installing from a unknown source, or getting kernel level module files, yeah i'd extra-scrutinize. But for GoG installers i doubt it's necessary. A HUGE amount of tweaking would be needed to match the MD5 sum AND be a valid bitstream for the installer.
avatar
g2222: Thank you. It worked. *thumbs up*
I hadn't even noticed yet that the newest GOG installers and updates don't validate anymore...
Still got older installers for like Police Quest, which includes all 5 games, rather than 5 installers bloating the installers by 5x.
Post edited April 12, 2024 by rtcvb32
avatar
W3irdN3rd: md5 (or even crc32) is fine to rule out accidental corruption, but shouldn't be relied upon for intentional tampering. (like a virus that infects other executable files)
avatar
Timboli: I'd like to see that ... or even hear about it being possible.
No one claimed it was going to be easy. If it was, then we all would be constantly tampering with md5 all night long!

avatar
Timboli: Infecting a file is going to change its MD5 value, no doubt about that. Maybe if you had a ton of code and a super computer you might be able to tamper and not have it change the MD5, but even then I seriously doubt it. And of course some small virus on your PC or GOG's sever is never going to be able to do that.
I am not an expert on how the hash algorithms really work etc., but this suggests MD5 shouldn't be used with security in mind:

https://en.wikipedia.org/wiki/MD5#Security

But as said, it is still quite usable for detecting unintentional corruption. I use it quite often with dvdsig to check in Windows if a set of files is still ok.
avatar
W3irdN3rd: md5 (or even crc32) is fine to rule out accidental corruption
Curiously even a raw sum; Some 8bit BASIC programs have the minimum to verify the sum adds up before running said copied binary data from BASIC to raw hardware.

Regardless, corruption is actually quite common. Little OT history; Back when the first communications were being set up (serial and/or phone) some transfers of data would be fine, but many would have issues, bits flipped in several places. Eventually it was figured out to be noise on the line, but the pattern was fractal in nature, and difficult to predict. Ultimately it was impossible to remove.

So they started adding parity bits, you'd have a start bit, 8 bits of data, then additional parity bits to count even/odd and other tidbits for ECC, if the check failed you just requested the byte again. Finally there's a closing bit to say you're done.

There's tons of ECC built into normal communications, so a few errors are detected and corrected along the way, and only total failures need a repeat; Finally the ECC is discarded and you get the final data. So while very common to have corruption during transmission, a lot of data integrity is invisible to what we end users usually experience. Off hand i think IP4 uses CRC32 is used for basic checks.

While looking up on Error Correct Codes a bit, a paper on the Hubble Satellite they added apparently a 6bit something Solomon-Reed code; Which resulted in being able to use half the power or double the distance in effectiveness since errors during transmission would be detected and corrected. Used on common media, it means scratches on discs and even holes, can remain readable as it transparently fixes said data during reading. (Or it should try at least)

I guess the little TLDR. Errors and corruption is quite common; But the infrastructure and overhead lowers the final product to hopefully be the correct data. Were that not the case, i think the world would be a lot more chaotic.
Post edited April 12, 2024 by rtcvb32
NEver seen this
avatar
Timboli: Please explain why?
All MD5 checking does, is make sure the file downloaded without interference or it matches what is on a GOG server.
It's OK for general testing, but if you want to be certain of a file's integrity you need to use a better hash. md5 has a fair few proven hash collisions now. The chances of these collisions occurring at random is fairly low, but still possible.

Ideally GOG would have progressively moved onto better hashes by now.
avatar
mk47at: It is too easy to find a collision. MD5 hasn't been secure enough for many years. There are enough research papers around that show that.

And for md5 it has been a huge issue even before this much computing power was cheaply available through one of the cloud services.
Thanks for the info, I wasn't aware of MD5 collisions.

That said, I feel it is one thing to manufacture a collision for a known, quite another to do it for an unknown on-the-fly with a bit of virus code. At least that is my read of it.

avatar
Braggadar: It's OK for general testing, but if you want to be certain of a file's integrity you need to use a better hash. md5 has a fair few proven hash collisions now. The chances of these collisions occurring at random is fairly low, but still possible.

Ideally GOG would have progressively moved onto better hashes by now.
I guess it is all about the odds isn't it.

It is one thing to throw a whole lot of files into a check for a collision for an MD5 value, but quite another to have one turn up randomly ... quite astronomical I would think ... more chance of winning the lottery it seems to me.

You are basically saying my download is corrupted, but the MD5 had a collision and so gave a match anyway.
Post edited April 17, 2024 by Timboli
Yeah noticed it too with the Kenshi update 1.68 offline installer. It was 300mb in size instead of 7.1gb. Installed a fishy kenshi.bat file instead of .exe. Certificate was expired too.
So I uploaded it to VirusTotal and contacted support. GOG told me to use GOG galaxy. How useful!

I think I have the installer still on my hard drive can check this if you want and please use a virtualization tool if you're in doubt of the files integrity. Better safe than sorry.
avatar
Too.good: Yeah noticed it too with the Kenshi update 1.68 offline installer. It was 300mb in size instead of 7.1gb. Installed a fishy kenshi.bat file instead of .exe. Certificate was expired too.
So I uploaded it to VirusTotal and contacted support. GOG told me to use GOG galaxy. How useful!
No, that was a bug with Kenshi version 1.0.68 which then got retracted.

https://www.gogdb.org/product/1193046833#changelog

Changelog

Download changed: Installer, Kenshi, Windows, en
Version 1.0.68 ⇒ 1.0.65, Size 315.6 MB ⇒ 7.5 GB 2024-04-04
(...)
Download changed: Installer, Kenshi, Windows, en
Version 1.0.65 ⇒ 1.0.68, Size 7.5 GB ⇒ 315.6 MB 2024-04-01
See also discussion here:
https://www.gog.com/forum/general/so_is_kenshis_update_problem_gonna_be_fixed_anytime_soon
https://www.reddit.com/r/Kenshi/comments/1bupnpu/comment/kxuzkp1/

Lo-Fi_Dan
17 days ago

Hi all, apologies for this issue. We're implementing a new method of deploying builds on there that's obviously had some teething issues.

We've rolled back to 1.0.65 so you should hopefully be able to play without any problems.

Kenshi 1.0.68 is now available on the experimental branch: right click Kenshi, then "Manage Installation" in GOG Galaxy to access the beta menu.

Let us know in the forum if you've any issues with main or experimental branch.
Post edited April 20, 2024 by g2222
Ok thanks for the information I wasn't aware of that. Wrong topic then...
avatar
W3irdN3rd: I just downloaded some offline installers (Broforce and Unreal Lust Theory early access) and when launching the installer it asks if I want this app from an unknown publisher to make changes to my device.

It's supposed to ask if I want this app from verified publisher GOG sp. z o.o to make changes to my device.

This has me concerned, do I have a virus or are my installers corrupted or something?
Never mind
Post edited April 24, 2024 by IsbitenC
avatar
Too.good: Yeah noticed it too with the Kenshi update 1.68 offline installer. It was 300mb in size instead of 7.1gb. Installed a fishy kenshi.bat file instead of .exe. Certificate was expired too.
So I uploaded it to VirusTotal and contacted support. GOG told me to use GOG galaxy. How useful!
avatar
g2222: No, that was a bug with Kenshi version 1.0.68 which then got retracted.

https://www.gogdb.org/product/1193046833#changelog

Changelog

Download changed: Installer, Kenshi, Windows, en
Version 1.0.68 ⇒ 1.0.65, Size 315.6 MB ⇒ 7.5 GB 2024-04-04
(...)
Download changed: Installer, Kenshi, Windows, en
Version 1.0.65 ⇒ 1.0.68, Size 7.5 GB ⇒ 315.6 MB 2024-04-01
avatar
g2222:
So he got downloads likely from two different versions in the middle of downloading?

Well that's a unique situation...
avatar
rtcvb32: So he got downloads likely from two different versions in the middle of downloading?

Well that's a unique situation...
Not that unique. It has happened to me a few times. I even created a thread here about it.

The perils of downloading a large game soon after buying when a new release to the store. No doubt some early downloader reported an issue and the devs rushed to fix and re-upload.

My download program (gogcli.exe) GUI now reports a change of file name from what is in the manifest because of that, because the most recent version is automatically downloaded from GOG. I'm not sure if that always happens with all third party download programs.

Just an unfortunate matter of timing and how long it takes to download all files for some games.
Post edited April 25, 2024 by Timboli
avatar
rtcvb32: So he got downloads likely from two different versions in the middle of downloading?

Well that's a unique situation...
avatar
Timboli: Not that unique. It has happened to me a few times. I even created a thread here about it.
I was just meaning he didn't do anything wrong and indeed basically got 'corrupted' files, since it wasn't what the installer was expecting. Afterall if you look at the offline links, they are something like gog.com/downloads/sacred_2_gold/en1install0 en1install1 en1install2, etc. It's a link and on the back end it serves you the file(s) and full filename. So if they switched a version, your link would still be valid, but may not point to the same thing it did an hour ago.

And only md5 sums or something to identify which version(s) are wrong and need replaced, or just redownload from scratch. Neither is good. Just hope they don't have a limited download plan.
Post edited April 25, 2024 by rtcvb32
avatar
Timboli: Not that unique. It has happened to me a few times. I even created a thread here about it.
avatar
rtcvb32: I was just meaning he didn't do anything wrong and indeed basically got 'corrupted' files, since it wasn't what the installer was expecting. Afterall if you look at the offline links, they are something like gog.com/downloads/sacred_2_gold/en1install0 en1install1 en1install2, etc. It's a link and on the back end it serves you the file(s) and full filename. So if they switched a version, your link would still be valid, but may not point to the same thing it did an hour ago.
Isn't that exactly what Timboli said? It's the reason why he lets his downloader double-check all received files.
avatar
rtcvb32: I was just meaning he didn't do anything wrong and indeed basically got 'corrupted' files, since it wasn't what the installer was expecting. <snip> So if they switched a version, your link would still be valid, but may not point to the same thing it did an hour ago.
avatar
g2222: Isn't that exactly what Timboli said? It's the reason why he lets his downloader double-check all received files.
Yes, more or less. But there's a lot of normies who don't know tech that won't know to look at that, hell sometimes for large files i have them download over night or over several days, so i might not notice something is wrong until days (or weeks later) when i go to check on them. I certainly don't have scripts confirming everything is correct after download and double checks the version matches; Then again i don't think i got any games that need hot-fixing in the last few years.
Post edited April 25, 2024 by rtcvb32