GOG has begun using encrypted RAR files in their Windows installers for various games to enhance their security. This however has caused problems for some Linux users.
The new installer format uses password protected RAR files that are encrypted to stop pirates from adding malware to the installer and then spreading that package throught torrents to users. The password protection is also meant to prevent user stupidity where the user would unpack the RAR file without running the installer like it's meant to (on Windows) thus breaking the installation package.
Source
The problems arise when Linux users attempt to use the extraction utility innoextract to unpack the installers of the games without having to use Wine. This is useful when using some versions of Wine that don't support GOG's installers or when you only want to access the game's data files to use them with an alternate game engine. The password protection put in place by GOG effectively prevents innoextract from extracting the package, making users reliant upon GOG's own installers which, like I said, might not work in Wine.
Some users consider this behaviour DRM-ish and against GOG's promise of being a DRM-free game store and they have put up a wishlist entry on GOG to make them revert back to the old installers. You can vote and add your comments here: https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Known affected games include games such as Assassins Creed, Wasteland 2, Heroes of Might and Magic 5 and The Bard's Tale along with other games. Note that this doesn't affect Linux packages of the Linux supported games, only the Windows installers. You can also check the full list of games that are affected and also report your findings here:
https://github.com/dscharrer/innoextract/issues/37#issuecomment-67915715
Some Thoughts
The line between DRM and no DRM might not always be absolutely clear. In this case the password protection doesn't prevent you from making copies of your games, as you can just copy the installers around, but it does prevent you from messing around with the installer and makes you depend on their own installer.
But in any case I do side with the crowd against these measures. The way I see it, they are trying to protect pirates from malicious pirates and users from themselves which I find quite ridiculous. Normal user who purchases a game from GOG (on Windows) will most likely go for the big file that contains words like “setup” or “installer” instead of clicking random .bin files. And protecting pirates? Now that is just plain silly. Prevention of malware is of course good but if you are going to pirate games you have to be ready to pay the price of potentially installing something nasty on your system and many pirates are aware of this and throw their anti-virus scanners at every piece of warez they download.
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates? Article taken from GamingOnLinux.com.
The new installer format uses password protected RAR files that are encrypted to stop pirates from adding malware to the installer and then spreading that package throught torrents to users. The password protection is also meant to prevent user stupidity where the user would unpack the RAR file without running the installer like it's meant to (on Windows) thus breaking the installation package.
Source
The problems arise when Linux users attempt to use the extraction utility innoextract to unpack the installers of the games without having to use Wine. This is useful when using some versions of Wine that don't support GOG's installers or when you only want to access the game's data files to use them with an alternate game engine. The password protection put in place by GOG effectively prevents innoextract from extracting the package, making users reliant upon GOG's own installers which, like I said, might not work in Wine.
Some users consider this behaviour DRM-ish and against GOG's promise of being a DRM-free game store and they have put up a wishlist entry on GOG to make them revert back to the old installers. You can vote and add your comments here: https://www.gog.com/wishlist/site/dont_slip_into_drm_swamp_stop_using_password_protection_on_installer_packages
Known affected games include games such as Assassins Creed, Wasteland 2, Heroes of Might and Magic 5 and The Bard's Tale along with other games. Note that this doesn't affect Linux packages of the Linux supported games, only the Windows installers. You can also check the full list of games that are affected and also report your findings here:
https://github.com/dscharrer/innoextract/issues/37#issuecomment-67915715
Some Thoughts
The line between DRM and no DRM might not always be absolutely clear. In this case the password protection doesn't prevent you from making copies of your games, as you can just copy the installers around, but it does prevent you from messing around with the installer and makes you depend on their own installer.
But in any case I do side with the crowd against these measures. The way I see it, they are trying to protect pirates from malicious pirates and users from themselves which I find quite ridiculous. Normal user who purchases a game from GOG (on Windows) will most likely go for the big file that contains words like “setup” or “installer” instead of clicking random .bin files. And protecting pirates? Now that is just plain silly. Prevention of malware is of course good but if you are going to pirate games you have to be ready to pay the price of potentially installing something nasty on your system and many pirates are aware of this and throw their anti-virus scanners at every piece of warez they download.
Is preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates? Article taken from GamingOnLinux.com.
0 Likes
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
Quoting: BomyneThis is why I only buy games on Steam... Let the Steam client do the installing.
You seem to not really understand what the topic really is.
GoG supported Linux games are easy to install. That's not the problem.
The thing is about those Windows games that still wern't supported in Linux by GoG but Linux users try to make so by manually extract the assets and running another alternative Linux game engine.
Think about gemRB, scumwm or such.
2 Likes, Who?
Quoting: hardpenguinQuoteIs preventing legitimate customers that use Linux from playing the games worth saving a couple of minutes of support time and the computers of a handful of pirates?Legitimate? Just pointing out that those 'legitimate' ones want to play games that are not in any way supported for Linux...
What about Unreal Tournament? While not a GOG-supported use, buying the Windows version for the resource files and then downloading the Linux port's binaries is a legal, developer-approved way to play it natively on Linux.
(As long as you're willing to take responsibility for writing wrapper scripts to work around things like the original Unreal engine assuming that the CPU's clock speed will remain fixed.)
1 Likes, Who?
I should also mention that the RAR password protection is ineffective at protecting against malware.
It's symmetric crypto, so anyone who can gain knowledge of the password (eg. because they know how to breakpoint a file without debugging symbols or they learned to disassemble binaries to write cracks and keygens) can generate a RAR with added malware.
I've already suggested to Gowor that a better approach would be to have the (already signed) EXE do a signature or hash verification check on the RAR. (One of the stated goals was enabling rapid iteration, so maybe embedding a public key in the signed EXE and storing a cryptographically-signed manifest of expected contents in the RAR so it could be updated without rebuilding the EXE)
I also suggested that a much less controversial way to prevent user stupidity would be to replace the 7-byte identifying prefix on the RAR header with some other 7-byte string, since they're already using a modified unrar.dll anyway. (eg. replacing the "Rar!" portion at the beginning with "GOG!")
That way, WinRAR wouldn't recognize it but they could be converted into ordinary RARs by us more technical users with a single line of Python code.
(And, of course, someone else pointed out that, if VLC trying to open BIN files is really that much of a problem, they can come up with their own file extension too.)
It's symmetric crypto, so anyone who can gain knowledge of the password (eg. because they know how to breakpoint a file without debugging symbols or they learned to disassemble binaries to write cracks and keygens) can generate a RAR with added malware.
I've already suggested to Gowor that a better approach would be to have the (already signed) EXE do a signature or hash verification check on the RAR. (One of the stated goals was enabling rapid iteration, so maybe embedding a public key in the signed EXE and storing a cryptographically-signed manifest of expected contents in the RAR so it could be updated without rebuilding the EXE)
I also suggested that a much less controversial way to prevent user stupidity would be to replace the 7-byte identifying prefix on the RAR header with some other 7-byte string, since they're already using a modified unrar.dll anyway. (eg. replacing the "Rar!" portion at the beginning with "GOG!")
That way, WinRAR wouldn't recognize it but they could be converted into ordinary RARs by us more technical users with a single line of Python code.
(And, of course, someone else pointed out that, if VLC trying to open BIN files is really that much of a problem, they can come up with their own file extension too.)
1 Likes, Who?
Quoting: IvancilloQuoting: BomyneThis is why I only buy games on Steam... Let the Steam client do the installing.
You seem to not really understand what the topic really is.
GoG supported Linux games are easy to install. That's not the problem.
The thing is about those Windows games that still wern't supported in Linux by GoG but Linux users try to make so by manually extract the assets and running another alternative Linux game engine.
Think about gemRB, scumwm or such.
I run two versions of Steam on my Linux box. The native version, that is responsible for my Linux installs. That version is not the version I am referring to.
The version I am referring to is the one located in a Crossover bottle. My statement still stands. Steam, running under Crossover (Wine) manages the install automatically for me. I have had great success with running Steam in this way, and I do not have to deal with encryption and DRM. Steam manages that... For the most part. Still no luck with UPlay games.
0 Likes
Quoting: neffoAnd by all accounts it's a trivial matter to bypass. (Why wasn't this mentioned in the post?)DRM is ineffective, news at 11. Does not mean it's not DRM.
3 Likes, Who?
oldrocker99 Dec 30, 2014
As a long-time GOG customer, I will say that this does seem a little DRM-ish to me. Just my two cents' worth.
2 Likes, Who?
Quoting: neffoThis all seems like a confected outrage. This isn't DRM. And by all accounts it's a trivial matter to bypass ... it just seems like a bizarre change, yes, but the response is completely overblown (like every linux gaming issue).
You do realize that under my country's insane copyright laws bypassing this could be considered just as illegal as pirating the content itself?
Quoting: Copyright Modernization ActBill C-11 prohibits the circumvention of any access control installed on a work, performer’s performance fixed in a sound recording or a sound recording, even if the work subject to the digital lock is legally acquired.
That alone makes this a very serious issue that GOG is going to have back away from.
3 Likes, Who?
I don't think anything is being overblown here.
This does smell like small scale DRM, altough it may have good intentions, it doesn't change what it is.
Not impressed by this.
This does smell like small scale DRM, altough it may have good intentions, it doesn't change what it is.
Not impressed by this.
2 Likes, Who?
The password method was already discovered by the community. This doesn't make it any better however. Tomorrow they can easily change that method without warning. This is DRM in some way.
2 Likes, Who?
Patreon
PayPal
See more from me