No he's not saying that.

There are two types of checksums provided by GOG.

There is a checksum for each Offline Installer file - EXE and BIN (and other OS files).
That checksum only tells you if the file downloaded okay, wasn't corrupted during the download process.
So it is possible for a corrupt file at the GOG end, to give a pass at our end.
In other words, GOG created a checksum value for a corrupt EXE or BIN etc file.

The second type, is using InnoExtract to test, and should mostly reveal any source & download corruption, because each EXE and BIN file are packages for many other files, that each have a checksum value for, stored in a manifest in the EXE file. Obviously with potentially many checksum values to test, it takes much longer than just testing the single checksum value for the complete EXE or BIN file. It is kind of the equivalent of testing when installing your game but without installing it, and is much faster than installing. So a much more comprehensive & reliable test, but slower. But it all breaks down at some point, if GOG created a checksum value for a corrupt file inside each EXE and BIN file package (archive).

I am pretty sure there are no MD5 checksums stored at Github, but one browser addon there I know of also uses the GOG SDK, as I imagine any others would too.

By the way, that browser addon worked well, and is quite easy to install, and certainly easier than using any other third party downloader.

Normally, they wouldn't bother to do that, because GOG would be the only source. So if they did provide them, it would be for us to make sure our download from GOG wasn't corrupted.

Thank you Timboli. I understand what you're saying. I just misunderstood Geralt for some reason.

I came across them once on Github, but I can't remember the exact webpage address. That browser addon sounds easy to use, but I don't really trust addons. Is there any other way to grab the official checksums?

I just assumed it was to protect users against malware either way. Then again, I'm not a security expert. I just test everything I can to make sure I've done my best to protect my files and my system.

I list some ways of grabbing the md5 checksums, among other related info. :
https://www.gog.com/forum/general/download_and_verify_options

Nothing outside of the GOG SDK queries.

But while you don't get checksums to use, the InnoExtract program is probably the easiest method of all with its 'test' option to check your downloaded GOG offline installers. It's only real issue, is the time it takes during testing. That duration though is determined by the size of your downloaded files and how many files exist in each EXE and BIN file package. So a 500 MB game for instance isn't going to lake long on a decent PC, while an 80 GB game is going to take much longer.

I suggest giving InnoExtract a try.

You could even download my GUI for it, which simplifies things, allowing you to build a list to test, plus it can also test other file types using 7-Zip. It can also be used with downloads from other stores like Itch.io and ZOOM Platform and Humble and IndieGala, etc.

GOGPlus Download Checker

Thank you solar_dome and Timobli!