A way to check GOG games/goodies files validity.

[LookUpPlease]

не соизволил хоть раз упомянуть откуда и кто покупает бОльшую часть игр

В данное время на том ресурсе красноречиво (буквально) уведомляют на главной о "у нас кончаются деньги чтоб покупать игры, — подайте-ка на домики для бездомных поросят".

Как знать какие куплены лично, действительно ли кончаются, не будут ли куплены решением Leader RG GOGFAN? Когда видно что новая не покупается долгое время (месяц-шесть), вероятно будет приложено действие с моей стороны, не смотря на то что покупка адски проблемна (путь непрямой, премного дороже в связи с зарубежносозданными санкциями/корпобойкотами), — обычно игры покупаемы другими (спасибо им!) и ни капли не гарантировано что тот путь не поглотит дно морское.

Кстати, тем/той/теми чьи жалобы, вызывалась [пустая] драма об играх перекинутых на Торрминаторр, мне на это глубоко фиолетово.

То есть имеем дело с кем-то кем свершено злоупотребление с подделкой личности, приведшее к результату выше. Ясно, понятно.

Жизнь-жестянка такова, что главный непобедимый аргумент ADMIN'а перечеркнуть не в силе, — ресурс не разглашает откуда файлы, не отдает должное, не указывает кем куплено, — поэтому тут гильотински повис фильтр в духе (если не ошибаюсь в интерпретации) "не хотите указывать от кого, Вас тоже не будут, справедливенько", приведший к нерабочей прямой ссылке Github с файлами для проверки целостности из-за чего, собственно, и пошел весь сыр-бор в избе.

Чтобы подтвердить что я — это я; отправьте почту, мне, админу

Способны изменить FAQ (Вопросы и ответы) ресурса добавлением ссылки на данный профиль в качестве подтверждения. Не вижу нужды для почтовой секретности лицом-к-лицу.

► Translation

has not condescended to mention even once on where and who buys most of the games

At the current time the site's main page notifies in raging red on "We are starting to run low on donor funds which are used to purchase new game."

How can one know which are brought internally, do the money really run out, won't the newer be paid by Leader RG GOGFAN's choice? When visible that a new isn't brought in a long time (1–6 months), I would probably interfere in action myself. Though my self-buy will be hellfirely problematic to do (an indirect path, more expensive 'cause of the foreignmade sanctions/corpboycotts). Typically the upcoming are paid by others (thank you all!) and not a bit of guarantee the path won't vanish into the void.

Also, whoever complained about games being posted on Torrminatorr was causing drama as I personally don't care.

So, the say implies someone, an impostor, has faked the site's operator identity to lead to the situation at hand. I see.

The cruel fuel is ADMIN's main unbeatable point it cancels not, that (if my reading isn't far off) the site doesn't disclose from where the files are, pays no thank to, doesn't credit the buyers, and as such the freaky filter flown in the style of "you don't want to credit, you won't be credited either, fair play", leading to the broken direct link that has started all the quarrel barrel on the town square.

To confirm I am who I am; email me the admin

The site's public FAQ can be edited to add the account link as the confirmation. Uneasy to see a need for eye-to-eye eMail secrecy.

[GOG-Games]

You will know when the donor money runs out as you start seeing the release window for GOG.com games increasing until sammuggleton is posting what he shares (huge thanks too!).

The major players are the donors to the site, sammuggleton and RG GOGFan (until the rejection of Russia).

That is all I have to say. Goodbye from this thread and take care.

[LookUpPlease]

ADMIN, похоже кина не будет. Видите ли, упоминать чьи ватрушки отказывается, писать в FAQ что не верблюд тоже отказывается, с темы ув. Штирлиц скоротечно смывается. Аль такое дело, пусть фильтр так и стоит, коптит.

Жизнь, как ни посмотреть, продолжается.

sammuggleton и Leader RG GOGFAN: GOG-Games заявляет что вы денежно связаны / были связаны с тем ресурсом, вас не затруднит подтвердить/опровергнуть слова, пожалуйста, правда ли это?

Добавлено позже:
Оказалось, возникло непонимание, — слово "Donor" не в том же значении что на самом ресурсе.

► Translation

ADMIN, apparently this is the end. As can see, rejects to credit the files, the identity confirming in the FAQ is rejected too, has abruptly quit the topic. Well, let's the filter continue to roll.

Life goes on, no matter how to look at.

sammuggleton и Leader RG GOGFAN: GOG-Games claims you are/were money-related donors of the site, can you please confirm/deny the statement, is it the truth?

Added later:
A misunderstanding happen. Turns out the word is in a different definition, not like on the site itself.

[GOG-Games]

ammuggleton и Leader RG GOGFAN: removed заявляет что вы денежно связаны / были связаны с тем ресурсом, вас не затруднит подтвердить/опровергнуть слова, пожалуйста, правда ли это?

Let me rephrase since there is a language disparity.

The only people releasing the majority of new content from GOG.com are sammuggleton and I (with the help of donors).

RG GOGFAN can not, as Russia is banned from buying on GOG.com for the foreseeable future.

The monthly fees for running gog[minus]games.com is 100 EUR/USD. I pay this with my own money, but I can not buy the truckload of games that get released every week. Help is needed.

[LookUpPlease]

Можно согласиться, не так и много главных лиц вносящих вклад в дело. Без их вклада никакой проверки невозможно предложить, проверять стало б нечего.

По последнему, самообеспечение железа это отлично. По средствам не приходится питать никаких сказочных иллюзий ни от кого, т.к. средни нас олигархи не водятся — выживаем как можем.

► Translation

Indeed, the main contributors to the cause are not many. To offer checking without the contributors would be impossible, nothing to check without the files.

On the last, self-sustaining of the hardware is admirable. Personally hold no wild expectations on finances from anybody. All are surviving day-by-day hardships as good as can, there are no billionaires among us.

[Rango]

Sometimes Gog does not update the game itself, but its installer. I've heard of such cases, but I don't know how often this happens.

[jessy s]

Hi everyone, for checking gog installers I would recommend using MD5 hash. There is a public database available here: https://github.com/GOG-Games-com/MD5-fo ... main/games

[somedood]

Sometimes Gog does not update the game itself, but its installer.

Does anyone know if this will also change the *.bin files or only the .exe? I would guess that they repackage everything.

[Aleph]

for checking gog installers I would recommend using MD5 hash. There is a public database available here: https://github.com/GOG-Games-com/MD5-fo ... main/games

Wonder if they'll make that private, too

[platformers123]

Up until a few months ago, it was possible to verify GOG installers using the "osslsigncode verify" command.
But when I use this command with recent installers from 2024, it shows an error:

Code: Select all

Verify error: unable to get local issuer certificate
Signature verification: failed

Is there a way to fix the problem in order to be able to verify GOG installers using the "osslsigncode verify" command again?

[Fatman]

Up until a few months ago, it was possible to verify GOG installers using the "osslsigncode verify" command.
But when I use this command with recent installers from 2024, it shows an error:
CODE: SELECT ALL

Verify error: unable to get local issuer certificate
Signature verification: failed
Is there a way to fix the problem in order to be able to verify GOG installers using the "osslsigncode verify" command again?

Does the digital signature verify the files in addition to the executable of the installer? When I tried modifying the executable, the digital signature tab in the properties disappeared and became invalid but I tried modifying the .bin files in the GOG installers and it doesn't invalidate the digital signature.

[platformers123]

If that's the case, then in theory, I guess someone could insert malware in the .bin files. This script also checks the game files using innoextract, but unfortunately, it doesn't seem to work for GOG installers more recent than November 2023.

Please let me know if it works for you.
https://github.com/hippie68/gogcheck

[Fatman]

With the larger game installers there's the option of using file integrity check which will probably detect any changes to the .bin files before installing, however smaller installers with .bin files lacks that option. Also with large patches or DLCs with .bin files, there's no option to check file integrity either.

Do you know how and where innoextract gets the .bin checksums from? Is that information located in the executable itself?

[Thircase]

Is there a way to fix the problem in order to be able to verify GOG installers using the "osslsigncode verify" command again?

I was facing the same issue when GOG started using Sectigo certificates on their installers.
I couldn't verify the new installers signatures using gogcheck script or manually with osslsigncode.

A couple of weeks ago I noticed I was missing a certificate required to verify the Sectigo certs.
The missing certificate was: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1

So, I grabbed this Mozilla CA certificate Bundle and added the missing certificate to the .pem file, and solved the issue.

Here is the edited .pem file (Bundle) if anyone needs it:
If you are using gogcheck script, put the .pem file in the script folder, then open the script file with a text editor and change the "certfile" line:

Code: Select all

certfile=cacert.pem

And here is an example command if anyone is wondering how to manually check the digital signatures in GOG installers.

Code: Select all

osslsigncode.exe verify -CAfile "cacert.pem" -TSA-CAfile "cacert.pem" "setup_northgard_3.4.16.37124_(64bit)_(72039).exe"

Result:

Code: Select all

Signature CRL verification: ok
Signature verification: ok

Number of verified signatures: 1
Succeeded

[boomer]

so would i

[strangerr]

wow. today i learned. thanks thircase! it's very useful.

[akshatjain]

is gogdb of any use in this process, I have mac installers I want to md5 check.

[platformers123]

Thank you very much, Thircase!

@Fatman: It does seem like the checksum is located in the executable itself. But I am not sure, I don't know bash scripting that well to understand gogcheck's code.

This is written inside the gogcheck script when opened with a text editor:

Code: Select all

Checks your GOG offline installer collection for valid digital signatures and correct checksums, making sure the files are legit and have not been tempered with.
If no files or directories are specified, the current directory will be used.
If neither the -s, -b/-B, nor -i/-I option is used, all checks will be run.

The checks consist of 3 parts:
  1. Digital signature verification for .exe files
  2. File checksum verification for .bin files
  3. Inno Setup file checksum verification (actual game files packed inside .exe and .bin files)

I am not sure what the difference is between step 2. and step 3.

[Fatman]

@platformers123: If it is located in the executable itself, maybe we can extract it into a file and simply verify all the .bin files ourselves with md5sum/sha256sum/crc32. I haven't touched bash scripting in ages so I wouldn't know how about go to extract it. But the script seems to over complicate things for simple checksum verification, step 2 does sound like step 3.

[Thircase]

I am not sure what the difference is between step 2. and step 3.

The script explains the verification processes quite clearly.

Step 2 verifies the md5 checksums of the .bin files, not their contents, but as whole files.
Step 3 verifies the files checksums inside the .exe and .bin(s).
These are the files that were packaged with Inno Setup, which are extracted during the installation.

@platformers123: If it is located in the executable itself, maybe we can extract it into a file and simply verify all the .bin files ourselves with md5sum/sha256sum/crc32.

If you want to manually get the md5 checksums values from an installer, you can do it like this:

Option 1: Open the .exe file of any installer with a text editor such as Notepad++ and search for the word #GOGCRCSTRING.

Example: setup_god_of_war_1.0.13_(64bit)_(71822).exe

760a69140e6bb0c5b84d35cbaf96fb278be108b417cc9fcfd93201ae252a4f116daaab247ef97dc03dd9bdd1bcfc0c215cd177ceeeaf2f71c9d263dbd575d42ef39e45f0efb217895d9857c59c23a9afdf8b4c5384a464bc9c7919e3899b7bf58484b8b300391f739a4bb1d0350d046f38af3723d981c03278efd2d689c4925f86f4b997747aa560ac91add25e0ee23b9bde2d560cc477434bd4c591dbed00b7e9c0ba2343084cba5faee138fd96017e11#GOGCRCSTRING

Option 2: Use the "strings" command inside Cygwin or WSL.
Note: You will need to install the "binutils" package first.

Example: strings "setup_god_of_war_1.0.13_(64bit)_(71822).exe" | grep GOGCRCSTRING



All values are merged, but if you separate them every 32 characters, you will get the correct md5 values.
The last two numbers (in this case 11) can be ignored.
I think they correspond to the number of .bin(s) related to the installer.

Well..
I guess the easiest way to check the gog installers and their bins is just to use the gogcheck script.