I just downloaded some offline installers (Broforce and Unreal Lust Theory early access) and when launching the installer it asks if I want this app from an unknown publisher to make changes to my device.

It's supposed to ask if I want this app from verified publisher GOG sp. z o.o to make changes to my device.

This has me concerned, do I have a virus or are my installers corrupted or something?

I have never seen installers from GOG that were not signed by GOG. I don't have Lust Theory but I have just checked the latest Broforce installer and the signature is as it should be. See attaches.

Maybe try running "sfc /scannow" at an administrator cmd prompt & reboot.

I doubt it. It only wants permissions so it can install dependencies and access the registry for the entries that need that.

As for the unknown publisher part, not sure. Was this on a machine unable to access the internet? (or have firewall settings to block) I can only think maybe something was trying to ping and check against a public key vs everything locally.

Going to properties on Syberia i see a digital signature. To note i also see GoG Limited as another name in some of my installers.

I just checked against an older Broforce installer and found the older installer (from 2023) used SHA1 digest algorithm while the new installer uses sha256. The 2023 installer was signed by "DigiCert Timestamp 2023" and the new installer by "Sectigo RSA Time Stamping Signer #4". For the new installer it says "The certificate in the signature cannot be verified". Yes, I try to keep Windows offline.

Somehow it managed to access the internet last time I booted it, because it installed a UEFI update, then the screen went black (but backlight remained on) and after 2 minutes I decided it had crashed. Rebooted, and it took like half a minute for anything to appear on screen. I feared the update had bricked my laptop. When it did come back to life, Windows destroyed my bootloader again. Bye bye multiboot. Hopefully the partitions are still intact.

This is exactly why I had revoked Windows' internet privileges. Some update might be required to verify the signatures of the new installers, I'll have to look into that.

Mhmm. I would forcibly turn off and remove update. But if you can't manage securing it down, then yeah keeping it offline is the next best thing.

I'm sure the partitions are fine, though you might boot a liveCD to check, or to set back up the multiboot options.

So i'd guess based on your snapshot you see the certificate, but it probably couldn't be verified to be the same one.

As long as the MD5 sums match i call that close enough.

Please don't rely on md5 for security. It's not safe.

I would think md5 is enough to check if something is not corrupted, but not for checking if it is not tampered with.

Yes, that is correct. GOG started using a new certificate a few months back. And that is the reason why the signature does not verify. You are missing one of the certificates in the certificate chain. Windows downloads missing certificates automatically but if it can't do that the signature will not verify.

For anyone else who wishes to keep their Windows offline, here's how I solved it:

Go to https://www.digicert.com/kb/digicert-root-certificates.htm and download the DER/CRT file for "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1". Transfer the file to your Windows machine. (USB stick, CD/DVD-R(W), IPoAC LAN FTP, null modem cable, encode as base64 and type it in, etc..)

Double click and follow instructions. This is specifically the certificate GOG installers use, so for other sources you may need different certificates. For my personal use case, this'll do.

Oddly, the instructions from https://woshub.com/updating-trusted-root-certificates-in-windows-10/ to install the files from https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-trust (http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) didn't help for me. md5 (or even crc32) is fine to rule out accidental corruption, but shouldn't be relied upon for intentional tampering. (like a virus that infects other executable files)

But I'm used to seeing a certificate with GOG installers, so not seeing it made me wonder if it had been tampered with somehow.

Oddly, I don't recall running into this issue ever before. For sh*ts-and-giggles, I just checked on a Windows 7 SP1 machine, totally unpatched. That's from 2011. Broforce 2023 installer: fine! Broforce 2024 installer: NOPE!

Considering the installers are compressed, getting the MD5 to match, and be tampered with, and tamper with executable code vs say images or map data, as well as still be a valid bitstream (as not to barf during install) seems a bit low. Though you could always have two or three different hashes, you can't make them all work.

Couple years ago i wrote a bash script to find duplicate files; this script heavily relies on md5. I figure, if the hashes don't match, it can't possibly be similar files. If they do match, there's a 99% or higher they are identical, so before it does the full delete & link or make a restore script, it does a full byte-by-byte compare just to make sure first. Works pretty darn well too.

In general md5 is sufficient unless you need to be extra paranoid. In theory anyone can make a new certificate and just sign it themselves and slap it on something. But with public key encryption, you should be able to verify the public key (since it should be public and published somewhere) is indeed genuine. Fully offline can't verify that step, so yeah i'd expect a 'unknown' or 'unverified' publisher.

Please explain why?

All MD5 checking does, is make sure the file downloaded without interference or it matches what is on a GOG server.

If it was already corrupted on a GOG server, not much you can do about that, and who can really tell you for sure? At best you can throw a small enough file at VirusTotal and go by the majority result. But really, virus scanners make mistakes all the time, many of them being over-zealous.
I'd like to see that ... or even hear about it being possible.

Infecting a file is going to change its MD5 value, no doubt about that. Maybe if you had a ton of code and a super computer you might be able to tamper and not have it change the MD5, but even then I seriously doubt it. And of course some small virus on your PC or GOG's sever is never going to be able to do that.

Thank you. It worked. *thumbs up*
I hadn't even noticed yet that the newest GOG installers and updates don't validate anymore...

It is too easy to find a collision. MD5 hasn't been secure enough for many years. There are enough research papers around that show that.

And for md5 it has been a huge issue even before this much computing power was cheaply available through one of the cloud services.