I wanted to mention, that I don't like how integrity check is missing from the new version of GoG installer.

Even with 'small' single-file installers, there can just as easily be errors. What I do, is download most games, and then push them into some backup. Don't have enough time to play most of them.

With old installers, I was easily able to verify beforehand, that I have undamaged files. Now, this seems impossible, without downloading multiple times or bugging others for their hash values.

In my opinion no container can afford to skip a hash check, because the consequences are just too severe. The game may crash at some point (and it's not obvious whether the reason is file corruption or user system), or some graphics may be slightly corrupted, or some sound may cracle, etc.

I myself have experienced once a game where music turned into horrible random noise at one exact point in one song. Almost jumped out of my chair the first time, lol. The reason was, indeed, data corruption.

Why risk any of this, when such a simple thing can virtually assure the user that all the files are ok?
Please add hash check to all installers, or at least all future installers?
If it bothers some users, it can be unchecked by default.
As long as the the option is there and the user can utilize it.

Thanks!

You did read the thread, right? The single file installers have a digital signature, which is a hash check, the multiple file installers have an integrity check in options.

I'm sorry, I must have missed it - where exactly was it stated that single file installers have a hidden hash check?
All I see is statement that version 1.0 installers had hash check which could be skipped and that 2.0 multipart installers have an explicit option to perform hash check.

Also, all files have digital signature. The question here is whether it is embedded in the installer and checked upon installing the single file v2.0 installers. Certanly there is NO sign of that. No progress bar, no notification, no indication and no check result.

As a programmer, I am well aware how check can be performed silently in the background while extracting. Every container (such as ZIP file) performs hash checking while extracting.

But would you not agree, that it's illogical for multipart installer to have an explicit option to perform the check, if it actually performs the check anyway when extracting? And why would single-file installer then not have this option?

That's why I assumed that perhaps none of them do any kind of checking anymore, except multipart installer when user explicitly requests it on the options page.

Could somebody who knows (not guesses / assumes, but actually knows), please confirm already, what the truth is? We can only guess otherwise.

Apologies, seems that the digital signature wasn't mentioned in this thread, but in one of the others that had popped up in that timeframe.

So, on to the digital signatures and hash checks.

V1.x installers do an integrity check when first run. They do not have a digital signature. They have an integrity check.
V2.x installers do not do the integrity check when run. The executable is digitally signed, and if the signature is ok, the executable is correct. For the multipart installers though, the digital signature only exists for the exe, the .bin files are not digitally signed. Thus the multipart installers have the option to do an integrity check before installing.

As for the concept of doing a hashcheck while extracting, no idea. I haven't used innosetup so I don't know if it does use it or not. I think some people did mention that the option to verify the integrity before installing has disappeared in more recent installers, but since I haven't installed any of the more recent ones, I've no idea if that is true or not, or why.

I remembered that I can do a simple check with a hex editor.
Tested with a small 'error' in three (single file) v2.0 installers.
The first two were OK. In file properties, signature tab, you can inspect the signature and windows informs you that the signature is not valid. Also, trying to install the game, both encountered a corrupted file and notified the user.

The third file is more interesting. I seem to have hit the certificate itself, as it reported "no signature was present in the subject" - it did properly report the signature with the unmodified file. Also, the corrupted installer installed without any problems. Of course, the installer certificate is not a part of installed files, so none were corrupted.
This does not, however, protect the executable part of the installer itself - a slight weakness.

So, it would seem that new installers do perform hash checking while extracting and that with single file installers user can inspect the certificate for Windows to check the hash. All is well, then.

Umm, I'm not sure about this...I'm pretty dumb sometimes

I've finally managed to download a game (8.5 Gb) and the installer won't run because a file is corrupted. The installation pgm suggests I verify the integrity of the seven downloaded files, which I'd be happy to do if I had any idea how to go about doing that.

I can run a pgm to get the hash values for the files I downloaded, but have no idea what to compare them to. There's nothing I can see on the GoG downloader to verify the integrity of the files and I haven't found any pgm on the GoG website to do so, either.

I have a slow, capped Internet connection where I live and can get, at most, five gig a morning without exceeding my daily 250 Mb (!) cap.

Can I do anything other than move one file at a time out of the download location, run the downloader, and see if that fixes it? I'd really like to correct the problem but don't feel much like staying up all night for two or three days just to install the game.

I see it now ... will check! Thx! (Maybe it was the setup file that was bad because I think it was crashing out before the install screen came up with the verify option)

Look at the installer for each game rather than the downloader.

EDIT: Ninja'd.

I think I'm good to go ... (for now!)

Was integrity check dropped from the latest versions of installer? I downloaded several games from my collection and it doesn't offer "check integrity" option anymore (tried on HoMM games and Caesar 3), so I have to google for file hashes to confirm my download was OK...

Is integrity now being checked implicitely during installation?

I think the only times i've gone to the options is to change the install path on the older v1.0 installers that try to install to the c:/program files/ directory... Be nice if there was a way to bulk test all the installers for issues and check the results in the morning...



Of course you can always try to re-download your files through the downloader and if the files are good they are checked and skipped...

Thanks. When I click on digital signature details, it takes longer for bigger installer files so I guess it really checks their integrity this way.

Don't you have unlimited downloads in the US? Or fiber optic connections? I don't pay for my internet at home, As I use an open network and my mobile as a receiver.