GOG has begun using encrypted RAR files in their Windows installers for various games to enhance their security. This however has caused problems for some Linux users.
The new installer format uses password protected RAR files that are encrypted to stop pirates from adding malware to the installer and then spreading that package throught torrents to users. The password protection is also meant to prevent user stupidity where the user would unpack the RAR file without running the installer like it's meant to (on Windows) thus breaking the installation package.
Source
The problems arise when Linux users attempt to use the extraction utility innoextract to unpack the installers of the games without having to use Wine. This is useful when using some versions of Wine that don't support GOG's installers or when you only want to access the game's data files to use them with an alternate game engine. The password protection put in place by GOG effectively prevents innoextract from extracting the package, making users reliant upon GOG's own installers which, like I said, might not work in Wine.
Some users consider this behaviour DRM-ish and against GOG's promise of being a DRM-free game store and they have put up a wishlist entry on GOG to make them revert back to the old installers. You can vote and add your comments here: https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Known affected games include games such as Assassins Creed, Wasteland 2, Heroes of Might and Magic 5 and The Bard's Tale along with other games. Note that this doesn't affect Linux packages of the Linux supported games, only the Windows installers. You can also check the full list of games that are affected and also report your findings here:
https://github.com/dscharrer/innoextract/issues/37#issuecomment-67915715
Some Thoughts
The line between DRM and no DRM might not always be absolutely clear. In this case the password protection doesn't prevent you from making copies of your games, as you can just copy the installers around, but it does prevent you from messing around with the installer and makes you depend on their own installer.
But in any case I do side with the crowd against these measures. The way I see it, they are trying to protect pirates from malicious pirates and users from themselves which I find quite ridiculous. Normal user who purchases a game from GOG (on Windows) will most likely go for the big file that contains words like “setup” or “installer” instead of clicking random .bin files. And protecting pirates? Now that is just plain silly. Prevention of malware is of course good but if you are going to pirate games you have to be ready to pay the price of potentially installing something nasty on your system and many pirates are aware of this and throw their anti-virus scanners at every piece of warez they download.
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates?
The new installer format uses password protected RAR files that are encrypted to stop pirates from adding malware to the installer and then spreading that package throught torrents to users. The password protection is also meant to prevent user stupidity where the user would unpack the RAR file without running the installer like it's meant to (on Windows) thus breaking the installation package.
Source
The problems arise when Linux users attempt to use the extraction utility innoextract to unpack the installers of the games without having to use Wine. This is useful when using some versions of Wine that don't support GOG's installers or when you only want to access the game's data files to use them with an alternate game engine. The password protection put in place by GOG effectively prevents innoextract from extracting the package, making users reliant upon GOG's own installers which, like I said, might not work in Wine.
Some users consider this behaviour DRM-ish and against GOG's promise of being a DRM-free game store and they have put up a wishlist entry on GOG to make them revert back to the old installers. You can vote and add your comments here: https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Known affected games include games such as Assassins Creed, Wasteland 2, Heroes of Might and Magic 5 and The Bard's Tale along with other games. Note that this doesn't affect Linux packages of the Linux supported games, only the Windows installers. You can also check the full list of games that are affected and also report your findings here:
https://github.com/dscharrer/innoextract/issues/37#issuecomment-67915715
Some Thoughts
The line between DRM and no DRM might not always be absolutely clear. In this case the password protection doesn't prevent you from making copies of your games, as you can just copy the installers around, but it does prevent you from messing around with the installer and makes you depend on their own installer.
But in any case I do side with the crowd against these measures. The way I see it, they are trying to protect pirates from malicious pirates and users from themselves which I find quite ridiculous. Normal user who purchases a game from GOG (on Windows) will most likely go for the big file that contains words like “setup” or “installer” instead of clicking random .bin files. And protecting pirates? Now that is just plain silly. Prevention of malware is of course good but if you are going to pirate games you have to be ready to pay the price of potentially installing something nasty on your system and many pirates are aware of this and throw their anti-virus scanners at every piece of warez they download.
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates?
Some you may have missed, popular articles from the last month:
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
Thats why I stopped buying games which do not support Linux by default.
Edit:
As for the password protection I do not see any reason why they could not do with their installer whatever they want as long games stay DRM-free.
or when you only want to access the game's data files to use them with an alternate game engineAnd I am too lazy to do this :). If I can not install game with one ore two clicks I do not bother,
Edit:
As for the password protection I do not see any reason why they could not do with their installer whatever they want as long games stay DRM-free.
0 Likes
I never use Wine or GOG so it doesn't affect me :)
1 Likes, Who?
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates?Legitimate? Just pointing out that those 'legitimate' ones want to play games that are not in any way supported for Linux...
0 Likes
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates?Legitimate? Just pointing out that those 'legitimate' ones want to play games that are not in any way supported for Linux...
I mean, not supporting Linux is a stupid move and they should do everything they can to make it work on Linux. And if GOG prevents people from playing it in Wine, then they prevent Linux users from playing the game.
1 Likes, Who?
This all seems like a confected outrage. This isn't DRM. And by all accounts it's a trivial matter to bypass. (Why wasn't this mentioned in the post?)
By the sounds of it, this would work:
By the sounds of it, this would work:
GAMENAME=neverwinter_nights_diamond_edition
GAMEID=`curl -s -o- http://www.gog.com/game/$GAMENAME | pcregrep --buffer-size 1M -o1 "addToCart\('/cart/add/(\d+)'\)"`
unrar x p`echo $GAMEID | md5sum | cut -d ' ' -f 1` $FILE
1 Likes, Who?
This all seems like a confected outrage. This isn't DRM. And by all accounts it's a trivial matter to bypass. (Why wasn't this mentioned in the post?)I might have overlooked that bit when I went through the forum thread. Based on the messages I read and the tip that was given to us I got the impression that the password wasn't general knowledge.
By the sounds of it, this would work:
GAMENAME=neverwinter_nights_diamond_edition
GAMEID=`curl -s -o- http://www.gog.com/game/$GAMENAME | pcregrep --buffer-size 1M -o1 "addToCart\('/cart/add/(\d+)'\)"`
unrar x p`echo $GAMEID | md5sum | cut -d ' ' -f 1` $FILE
0 Likes
for authenticity, they could just sign and checksum their files like everyone else?
It seems as if in trying to make a turn-key install process they made it more complicated and harder to install for people who know what they're doing. Not a good sign.
And definitely a breaker for some Linux WINE runners.
It seems as if in trying to make a turn-key install process they made it more complicated and harder to install for people who know what they're doing. Not a good sign.
And definitely a breaker for some Linux WINE runners.
1 Likes, Who?
for authenticity, they could just sign and checksum their files like everyone else?
Indeed. Just open source your client and use it to authenticate the downloads so clueless people can benefit too...
Easy peasy. This actually makes the teachie guy in gog looks pretty useless. What else is this guy in charge of to be aware?
0 Likes
This is why I only buy games on Steam... Let the Steam client do the installing.
1 Likes, Who?
And definitely a breaker for some Linux WINE runners.
couldn't you just use the GOG installer in wine anyway?
I might have overlooked that bit when I went through the forum thread. Based on the messages I read and the tip that was given to us I got the impression that the password wasn't general knowledge.
it was in the github post (like one post after the one you linked to), not trying to sound like an arsehole here, but i didn't read the thread much either. it just seems like a bizarre change, yes, but the response is completely overblown (like every linux gaming issue).
1 Likes, Who?
This is why I only buy games on Steam... Let the Steam client do the installing.
You seem to not really understand what the topic really is.
GoG supported Linux games are easy to install. That's not the problem.
The thing is about those Windows games that still wern't supported in Linux by GoG but Linux users try to make so by manually extract the assets and running another alternative Linux game engine.
Think about gemRB, scumwm or such.
2 Likes, Who?
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates?Legitimate? Just pointing out that those 'legitimate' ones want to play games that are not in any way supported for Linux...
What about Unreal Tournament? While not a GOG-supported use, buying the Windows version for the resource files and then downloading the Linux port's binaries is a legal, developer-approved way to play it natively on Linux.
(As long as you're willing to take responsibility for writing wrapper scripts to work around things like the original Unreal engine assuming that the CPU's clock speed will remain fixed.)
1 Likes, Who?
I should also mention that the RAR password protection is ineffective at protecting against malware.
It's symmetric crypto, so anyone who can gain knowledge of the password (eg. because they know how to breakpoint a file without debugging symbols or they learned to disassemble binaries to write cracks and keygens) can generate a RAR with added malware.
I've already suggested to Gowor that a better approach would be to have the (already signed) EXE do a signature or hash verification check on the RAR. (One of the stated goals was enabling rapid iteration, so maybe embedding a public key in the signed EXE and storing a cryptographically-signed manifest of expected contents in the RAR so it could be updated without rebuilding the EXE)
I also suggested that a much less controversial way to prevent user stupidity would be to replace the 7-byte identifying prefix on the RAR header with some other 7-byte string, since they're already using a modified unrar.dll anyway. (eg. replacing the "Rar!" portion at the beginning with "GOG!")
That way, WinRAR wouldn't recognize it but they could be converted into ordinary RARs by us more technical users with a single line of Python code.
(And, of course, someone else pointed out that, if VLC trying to open BIN files is really that much of a problem, they can come up with their own file extension too.)
It's symmetric crypto, so anyone who can gain knowledge of the password (eg. because they know how to breakpoint a file without debugging symbols or they learned to disassemble binaries to write cracks and keygens) can generate a RAR with added malware.
I've already suggested to Gowor that a better approach would be to have the (already signed) EXE do a signature or hash verification check on the RAR. (One of the stated goals was enabling rapid iteration, so maybe embedding a public key in the signed EXE and storing a cryptographically-signed manifest of expected contents in the RAR so it could be updated without rebuilding the EXE)
I also suggested that a much less controversial way to prevent user stupidity would be to replace the 7-byte identifying prefix on the RAR header with some other 7-byte string, since they're already using a modified unrar.dll anyway. (eg. replacing the "Rar!" portion at the beginning with "GOG!")
That way, WinRAR wouldn't recognize it but they could be converted into ordinary RARs by us more technical users with a single line of Python code.
(And, of course, someone else pointed out that, if VLC trying to open BIN files is really that much of a problem, they can come up with their own file extension too.)
1 Likes, Who?
This is why I only buy games on Steam... Let the Steam client do the installing.
You seem to not really understand what the topic really is.
GoG supported Linux games are easy to install. That's not the problem.
The thing is about those Windows games that still wern't supported in Linux by GoG but Linux users try to make so by manually extract the assets and running another alternative Linux game engine.
Think about gemRB, scumwm or such.
I run two versions of Steam on my Linux box. The native version, that is responsible for my Linux installs. That version is not the version I am referring to.
The version I am referring to is the one located in a Crossover bottle. My statement still stands. Steam, running under Crossover (Wine) manages the install automatically for me. I have had great success with running Steam in this way, and I do not have to deal with encryption and DRM. Steam manages that... For the most part. Still no luck with UPlay games.
0 Likes
And by all accounts it's a trivial matter to bypass. (Why wasn't this mentioned in the post?)DRM is ineffective, news at 11. Does not mean it's not DRM.
3 Likes, Who?
As a long-time GOG customer, I will say that this does seem a little DRM-ish to me. Just my two cents' worth.
2 Likes, Who?
This all seems like a confected outrage. This isn't DRM. And by all accounts it's a trivial matter to bypass ... it just seems like a bizarre change, yes, but the response is completely overblown (like every linux gaming issue).
You do realize that under my country's insane copyright laws bypassing this could be considered just as illegal as pirating the content itself?
Bill C-11 prohibits the circumvention of any access control installed on a work, performer’s performance fixed in a sound recording or a sound recording, even if the work subject to the digital lock is legally acquired.
That alone makes this a very serious issue that GOG is going to have back away from.
3 Likes, Who?
I don't think anything is being overblown here.
This does smell like small scale DRM, altough it may have good intentions, it doesn't change what it is.
Not impressed by this.
This does smell like small scale DRM, altough it may have good intentions, it doesn't change what it is.
Not impressed by this.
2 Likes, Who?
The password method was already discovered by the community. This doesn't make it any better however. Tomorrow they can easily change that method without warning. This is DRM in some way.
2 Likes, Who?
Nevermind.
0 Likes
See more from me