GOG has begun using encrypted RAR files in their Windows installers for various games to enhance their security. This however has caused problems for some Linux users.
The new installer format uses password protected RAR files that are encrypted to stop pirates from adding malware to the installer and then spreading that package throught torrents to users. The password protection is also meant to prevent user stupidity where the user would unpack the RAR file without running the installer like it's meant to (on Windows) thus breaking the installation package.
Source
The problems arise when Linux users attempt to use the extraction utility innoextract to unpack the installers of the games without having to use Wine. This is useful when using some versions of Wine that don't support GOG's installers or when you only want to access the game's data files to use them with an alternate game engine. The password protection put in place by GOG effectively prevents innoextract from extracting the package, making users reliant upon GOG's own installers which, like I said, might not work in Wine.
Some users consider this behaviour DRM-ish and against GOG's promise of being a DRM-free game store and they have put up a wishlist entry on GOG to make them revert back to the old installers. You can vote and add your comments here: https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Known affected games include games such as Assassins Creed, Wasteland 2, Heroes of Might and Magic 5 and The Bard's Tale along with other games. Note that this doesn't affect Linux packages of the Linux supported games, only the Windows installers. You can also check the full list of games that are affected and also report your findings here:
https://github.com/dscharrer/innoextract/issues/37#issuecomment-67915715
Some Thoughts
The line between DRM and no DRM might not always be absolutely clear. In this case the password protection doesn't prevent you from making copies of your games, as you can just copy the installers around, but it does prevent you from messing around with the installer and makes you depend on their own installer.
But in any case I do side with the crowd against these measures. The way I see it, they are trying to protect pirates from malicious pirates and users from themselves which I find quite ridiculous. Normal user who purchases a game from GOG (on Windows) will most likely go for the big file that contains words like “setup” or “installer” instead of clicking random .bin files. And protecting pirates? Now that is just plain silly. Prevention of malware is of course good but if you are going to pirate games you have to be ready to pay the price of potentially installing something nasty on your system and many pirates are aware of this and throw their anti-virus scanners at every piece of warez they download.
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates? Article taken from GamingOnLinux.com.
The new installer format uses password protected RAR files that are encrypted to stop pirates from adding malware to the installer and then spreading that package throught torrents to users. The password protection is also meant to prevent user stupidity where the user would unpack the RAR file without running the installer like it's meant to (on Windows) thus breaking the installation package.
Source
The problems arise when Linux users attempt to use the extraction utility innoextract to unpack the installers of the games without having to use Wine. This is useful when using some versions of Wine that don't support GOG's installers or when you only want to access the game's data files to use them with an alternate game engine. The password protection put in place by GOG effectively prevents innoextract from extracting the package, making users reliant upon GOG's own installers which, like I said, might not work in Wine.
Some users consider this behaviour DRM-ish and against GOG's promise of being a DRM-free game store and they have put up a wishlist entry on GOG to make them revert back to the old installers. You can vote and add your comments here: https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Known affected games include games such as Assassins Creed, Wasteland 2, Heroes of Might and Magic 5 and The Bard's Tale along with other games. Note that this doesn't affect Linux packages of the Linux supported games, only the Windows installers. You can also check the full list of games that are affected and also report your findings here:
https://github.com/dscharrer/innoextract/issues/37#issuecomment-67915715
Some Thoughts
The line between DRM and no DRM might not always be absolutely clear. In this case the password protection doesn't prevent you from making copies of your games, as you can just copy the installers around, but it does prevent you from messing around with the installer and makes you depend on their own installer.
But in any case I do side with the crowd against these measures. The way I see it, they are trying to protect pirates from malicious pirates and users from themselves which I find quite ridiculous. Normal user who purchases a game from GOG (on Windows) will most likely go for the big file that contains words like “setup” or “installer” instead of clicking random .bin files. And protecting pirates? Now that is just plain silly. Prevention of malware is of course good but if you are going to pirate games you have to be ready to pay the price of potentially installing something nasty on your system and many pirates are aware of this and throw their anti-virus scanners at every piece of warez they download.
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates? Article taken from GamingOnLinux.com.
0 Likes
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
I'm feeling like there are little lines of DRM hoops that have been gradually coming around to GOG. First it was the lack of always providing tarballs because the Lucasarts games have a EULA that they packed into the .debs for Ubuntu and Mint. They were ultimately pointless, because it likely still could have been inserted into a script for the tarballs as in a .deb just as easily. (eularead=1, anybody?)
Now it's something that, while transparent to Windows users (apparently), causes problems for Linux users wanting to run GOG game installers in Wine. I think users do deserve to have hash checks in their files, no matter where or for what system they're being downloaded from. I know that creates a problem for insecure publishers, because then even closed-source games can be verified by anybody who's bought the game or not.
It's still a stupid reason to not provide something that genuinely *is* a working solution to any potential man-in-the-middle attacks GOG claims to be protecting their Windows users from with these passworded RAR files.
Now it's something that, while transparent to Windows users (apparently), causes problems for Linux users wanting to run GOG game installers in Wine. I think users do deserve to have hash checks in their files, no matter where or for what system they're being downloaded from. I know that creates a problem for insecure publishers, because then even closed-source games can be verified by anybody who's bought the game or not.
It's still a stupid reason to not provide something that genuinely *is* a working solution to any potential man-in-the-middle attacks GOG claims to be protecting their Windows users from with these passworded RAR files.
1 Likes, Who?
Quoting: TerynNow it's something that, while transparent to Windows users (apparently), causes problems for Linux users wanting to run GOG game installers in Wine. I think users do deserve to have hash checks in their files, no matter where or for what system they're being downloaded from. I know that creates a problem for insecure publishers, because then even closed-source games can be verified by anybody who's bought the game or not.
All forms of DRM is supposed to be transparent to users anyway so that's not even really a defense... With the unique passwords this definitely feels like some kind of an attempt at thwarting file sharing, in other words DRM. Even if their official line is that it's something different I'm not really buying it...
0 Likes
Quoting: neffocouldn't you just use the GOG installer in wine anyway?
These new installers crash under current Wine versions.
0 Likes
This doesn't sound effective at all in protecting a user from a manipulated installer, if that's the intention. Even if a bad actor couldn't insert something in the legitimate installer, provided they are determined enough, they could put together a custom installer that looks and feels nearly the same. It sounds more like some silly measure needed to appease certain publishers.
If it does become applied to all installers, I'll be glad I back up everything locally after a purchase. Hopefully a solution to this incompatibility can be worked out. The vast majority of older games seem to work perfectly with Wine, so it would be quite unfortunate for them to be locked away, from Linux users, by the installer of all things.
If it does become applied to all installers, I'll be glad I back up everything locally after a purchase. Hopefully a solution to this incompatibility can be worked out. The vast majority of older games seem to work perfectly with Wine, so it would be quite unfortunate for them to be locked away, from Linux users, by the installer of all things.
0 Likes
This is quite the unfortunate development from GOG. This is the second company I've dealt with to go against their word to remain DRM free (the first being stardock with sins of a solar empire, as rebellion requires steam to play).
what kind of excuse is it anyway? They are afraid that people will only download part of a game? well, perhaps GOG should have made it a single download if they were so worried. would that make much more sense than encrypting the game files? and wouldn't most of the GOG community being technically literate enough to read the download page, and don't most GOG buyers usually download all of the bonus stuff to go with the game as well? doesn't seem like many people would make that mistake.
heck, i just bought the sims 3 on dvd specifically because i can run it without origin. I purchased the two expansion packs to the original sins of a solar empire (entrenchment and diplomacy) rather than buying the cheaper trinity version because they had none of that stupid activation limit that the steam version had. The ONLY reason i bought from GOG was that it was drm free. If they want to put drm on stuff, ill take my money back to valve, and purchase newer games instead.
EDIT: sorry for the rant. i'm sick and tired of companies screwing users like this.
what kind of excuse is it anyway? They are afraid that people will only download part of a game? well, perhaps GOG should have made it a single download if they were so worried. would that make much more sense than encrypting the game files? and wouldn't most of the GOG community being technically literate enough to read the download page, and don't most GOG buyers usually download all of the bonus stuff to go with the game as well? doesn't seem like many people would make that mistake.
heck, i just bought the sims 3 on dvd specifically because i can run it without origin. I purchased the two expansion packs to the original sins of a solar empire (entrenchment and diplomacy) rather than buying the cheaper trinity version because they had none of that stupid activation limit that the steam version had. The ONLY reason i bought from GOG was that it was drm free. If they want to put drm on stuff, ill take my money back to valve, and purchase newer games instead.
EDIT: sorry for the rant. i'm sick and tired of companies screwing users like this.
0 Likes
One thought, I had, is that this could about making sure people are presented with and accept the EULA whenever they install the game. Because if you can just extract the game, you might not look at it.
This could be related. Reminds me of the EULA prompt for the Microsoft font package.
So, this could have more to do with legal reasons.
Quoting: TerynFirst it was the lack of always providing tarballs because the Lucasarts games have a EULA that they packed into the .debs for Ubuntu and Mint. They were ultimately pointless, because it likely still could have been inserted into a script for the tarballs as in a .deb just as easily. (eularead=1, anybody?)
This could be related. Reminds me of the EULA prompt for the Microsoft font package.
So, this could have more to do with legal reasons.
0 Likes
Quoting: ntfwcQuoting: TerynFirst it was the lack of always providing tarballs because the Lucasarts games have a EULA that they packed into the .debs for Ubuntu and Mint. They were ultimately pointless, because it likely still could have been inserted into a script for the tarballs as in a .deb just as easily. (eularead=1, anybody?)
This could be related. Reminds me of the EULA prompt for the Microsoft font package.
So, this could have more to do with legal reasons.
Sorry, but that doesn't seem to be the case. I've been keeping up on GOG's own forums, and the one admin who's said anything seems to imply otherwise.
This is the general discussion thread:
http://www.gog.com/forum/general/tech_gog_new_windows_installer_a_technical_thread
Here's the post where the admin first speaks up in the discussion thread:
http://www.gog.com/forum/general/on_gnulinux_has_anyone_be_able_to_extract_the_rar_innosetup_installers/post116
This is the technical solutions thread, where only discussing tech solutions are encouraged:
http://www.gog.com/forum/general/tech_gog_new_windows_installer_a_technical_thread
Here's a thread suggesting that bypassing this password (as Linux users must) may be considered reverse engineering, and is no good with GOG's upcoming policy changes:
http://www.gog.com/forum/general/please_fix_your_user_agreement_to_allow_reverse_engineering_and_tinkering_when_its_fair_use_to_ret
Just keeping everyone informed. At least look at the admin's post and see what he's intended with this change. If this is a bad move for Linux (and the few Windows users who manually unpack their installers for whatever reason), everyone deserves to figure that out for themselves.
0 Likes
The "official statements from GOG" account has responded on the topic of passworded installers and it's good news.
They basically said. "Our bad. We'll get rid of the passwords while we find a better solution. We never consciously intended to break support with your tools and never will. However, since those are officially Windows installers, we reserve the right to break PlayOnLinux scripts and the like if we see a backwards-incompatible way to improve the need to make things more comfortable for Windows users."
(Gowor has said that the original purpose of the switch to RAR itself was to allow massive multi-DVD-sized installers to be incrementally modified while a release is being prepared, rather than having to regenerate the entire InnoSetup fileset for every little change. As I understand it, the RAR passwords are a failed attempt to reinvent the authenticity verification that originally came from having hashes of the BIN files stored inside the signed EXE.)
Given that response and how symmetric crypto protected by "security by obscurity" is ineffective as authenticity verification, my impression is that this whole thing was just a case of "someone jumped on an easy 'solution' without putting enough thought into its implications".
They basically said. "Our bad. We'll get rid of the passwords while we find a better solution. We never consciously intended to break support with your tools and never will. However, since those are officially Windows installers, we reserve the right to break PlayOnLinux scripts and the like if we see a backwards-incompatible way to improve the need to make things more comfortable for Windows users."
(Gowor has said that the original purpose of the switch to RAR itself was to allow massive multi-DVD-sized installers to be incrementally modified while a release is being prepared, rather than having to regenerate the entire InnoSetup fileset for every little change. As I understand it, the RAR passwords are a failed attempt to reinvent the authenticity verification that originally came from having hashes of the BIN files stored inside the signed EXE.)
Given that response and how symmetric crypto protected by "security by obscurity" is ineffective as authenticity verification, my impression is that this whole thing was just a case of "someone jumped on an easy 'solution' without putting enough thought into its implications".
0 Likes
Patreon
PayPal
See more from me