Hi everyone,

Is there any way, or even better, any tool that downloads your games and checks if the game file hasn't been compromised without installing it?

Thanks for reading,

Have a nice day.

Check out these projects:

LGOGDownloader

gogrepoc
related thread

Along with those, there is also gogcli.exe which is multi-platform, and what I use in Windows, with my own GUI.

https://www.gog.com/forum/general/gogcli_gog_client

You can also install a browser addon that will reveal MD5 values for Offline Installer files.

You can also just use free InnoExtract to test your game files (EXE and BIN). It is a somewhat slow process, depending on the size of the files, but it gives you the most surety, as it is similar to the checking that occurs during install. GOG use InnoSetup to create their Offline Installers for Windows. 7-Zip can be used in Windows to test Extras and even Linux and Mac files.

The official MD5 checksums are out there.

You can also verify the digital signatures of the files for good measure. I believe the official names are as follows:
GOG Limited
GOG Sp. z o.o.
GOG sp. z o.o

I may be mistaken, but aren't only the exes themselves digitally signed?

Honestly, I don't know. Maybe someone can clarify. But it's still a nice addition in combination with the MD5 checksums since I don't think MD5 is secure anymore.

Yes, only the .exe files are signed. The .bin files are not. You need the MD5 checksums to check them.

MD5 not being secure is irrelevant since we are not checking if a file has been maliciously tampered with (and even then it would be extremely difficult to add malware to it that gets executed and still have a .bin file that installs correctly and has the correct MD5). What we want to know is if a file has downloaded correctly. And MD5 is more than enough to catch random data corruption.

Back in the day when files were smaller we used CRC8 for such purposes. And that's a checksum that only consists of one byte.

I have been using MD5 and/or CRC32 checksums for file verification for a couple of decades now. Yes, it's probably sufficient and data corruption is easily spotted this way. But GOG added those digital signatures for a reason. Why bother? What is the purpose? Isn't it at least good to know about them, even if they (unfortunately) only apply to the executables?

I would think that if it's not secure (like MD5 for example), it CAN be tampered with. And it wouldn't be the first time an online service gets hacked either. I'm not even sure if those MD5 checksums are officially released by GOG.

edit: I just took an .exe-only game, corrupted the file with a hex editor and the digital signature turned from valid to invalid. So for .exe-only games at least, checking whether the digital signature is valid seems to be a decent way to check for file corruption from what I can see. Correct me if I'm wrong.

edit: I did the same thing with a .bin file, and as expected the digital signature stayed the same. The .bin file appears to be a .rar file which can be verified (using CRC32) by any extraction tool. Again, correct my if I'm wrong.

AFAIK GOG uses InnoSetup to make its installers nowadays. I know they also used RAR archives in the past but you can not rely on .bin files being verifiable by any run of the mill unpacker. The only unpacker I am aware of that can certainly test them is innoextract. But that tests every single file within an archive one by one and doesn't have a checksum for the entire archive. On bigger games that can take a very long time and that's why this method isn't recommended.

If you assume that GOG was hacked then all bets are off anyway. Because the hackers might have just as well stolen GOG's secret key and can sign any malware they want in GOG's name until the key gets revoked.

In theory, installers consisting of only one .exe can be checked with the signature. Most of the time that works just fine. But sadly not always. Because GOG doesn't care much about the signatures. I have found one case where the signature doesn't verify because GOG made a mistake and even though that would be trivial to correct they pretty much ignored my support ticket on that topic.

On top of that, if you insist on something that is practically impossible to tamper with: Up until about a year ago GOG's signatures used the SHA1 digest algorithm, which has been considered unsafe for about 10 years now. So any game that hasn't been updated in 2024 has a signature that can be tampered with.

Primarily because Windows likes digital signing of installers to notify the user of the legitimacy of the publisher before allowing the install to continue.

It also works as a data corruption test, but again that only is detected on the exe itself. A LOT of GOG's catalogue have at least one bin file in their offline installers. Which checksums are you referring to? The third-party tools grab the checksums from files on GOG's own servers via the API.

I think the only believable case of GOG installers being tampered is if someone is downloading them from pirate sites.

In which case I hope the downloaders' PCs get infected and blow up in smoke, sending shrapnel with a radius of 1050 meters. And after that there is a farting sound and the whole area smells like shit for the next decade, and beyond.

Are you saying that these .bin files can pass a test in an extraction tool but still be corrupt somehow? Does this apply to any archive in general or is that just specific to GOG installers? Point taken. In ideal conditions I assume you would store the secret key in a different and secure location though. Interesting, thanks. Good to know they don't give a sh... Yes, I noticed. Point taken.

Good to know. Thanks for clarifying.
I assumed those tools grabbed them from an external source like Github, because I know the MD5 checksums are available there. They don't show up for me here, but I'm not using any browser addons either. So these are actually officially sourced from GOG? I don't really understand why they don't use something more secure than MD5 then. Weird.

Thanks!

Perhaps. Makes you wonder why software developers sometimes include secure checksums and cryptographic signatures on their official websites though. You're saying those are just there to protect people in case they download the software elsewhere?

Sorry to the OP for perhaps going a bit off topic, but I'm learning new things.

I haven't fully read later replies, but generally a signature is all about your Windows system not complaining and perhaps even preventing AV issues.

If you go to run an unsigned executable file, Windows will usually complain and query.

Yes, that was already made clear to me. But thank you for confirming.

Several of my questions still remain unanswered though. Oh well...