Geralt_of_Rivia: Yes, only the .exe files are signed. The .bin files are not. You need the MD5 checksums to check them.
MD5 not being secure is irrelevant since we are not checking if a file has been maliciously tampered with (and even then it would be extremely difficult to add malware to it that gets executed and still have a .bin file that installs correctly and has the correct MD5). What we want to know is if a file has downloaded correctly. And MD5 is more than enough to catch random data corruption.
Back in the day when files were smaller we used CRC8 for such purposes. And that's a checksum that only consists of one byte.
solesurvivor83: I have been using MD5 and/or CRC32 checksums for file verification for a couple of decades now. Yes, it's probably sufficient and data corruption is easily spotted this way. But GOG added those digital signatures for a reason. Why bother? What is the purpose? Isn't it at least good to know about them, even if they (unfortunately) only apply to the executables?
I would think that if it's not secure (like MD5 for example), it CAN be tampered with. And it wouldn't be the first time an online service gets hacked either. I'm not even sure if those MD5 checksums are officially released by GOG.
edit: I just took an .exe-only game, corrupted the file with a hex editor and the digital signature turned from valid to invalid. So for .exe-only games at least, checking whether the digital signature is valid seems to be a decent way to check for file corruption from what I can see. Correct me if I'm wrong.
edit: I did the same thing with a .bin file, and as expected the digital signature stayed the same. The .bin file appears to be a .rar file which can be verified (using CRC32) by any extraction tool. Again, correct my if I'm wrong.
AFAIK GOG uses InnoSetup to make its installers nowadays. I know they also used RAR archives in the past but you can not rely on .bin files being verifiable by any run of the mill unpacker. The only unpacker I am aware of that can certainly test them is innoextract. But that tests every single file within an archive one by one and doesn't have a checksum for the entire archive. On bigger games that can take a very long time and that's why this method isn't recommended.
If you assume that GOG was hacked then all bets are off anyway. Because the hackers might have just as well stolen GOG's secret key and can sign any malware they want in GOG's name until the key gets revoked.
In theory, installers consisting of only one .exe can be checked with the signature. Most of the time that works just fine. But sadly not always. Because GOG doesn't care much about the signatures. I have found one case where the signature doesn't verify because GOG made a mistake and even though that would be trivial to correct they pretty much ignored my support ticket on that topic.
On top of that, if you insist on something that is practically impossible to tamper with: Up until about a year ago GOG's signatures used the SHA1 digest algorithm, which has been considered unsafe for about 10 years now. So any game that hasn't been updated in 2024 has a signature that can be tampered with.
