You'd have to change a number of bytes including the payload to keep it the same size, or add to the size. But as there's internal hash checking (where the Galaxy installer type files) where every file is named... after their hash code, it's easy to verify the files are in fact untouched before rebuilding the final result.

There may be better hashes out there, but as i said, MD5 should be sufficient... Now if you were updating core OS files, installing from a unknown source, or getting kernel level module files, yeah i'd extra-scrutinize. But for GoG installers i doubt it's necessary. A HUGE amount of tweaking would be needed to match the MD5 sum AND be a valid bitstream for the installer.
Still got older installers for like Police Quest, which includes all 5 games, rather than 5 installers bloating the installers by 5x.

No one claimed it was going to be easy. If it was, then we all would be constantly tampering with md5 all night long!

I am not an expert on how the hash algorithms really work etc., but this suggests MD5 shouldn't be used with security in mind:

https://en.wikipedia.org/wiki/MD5#Security

But as said, it is still quite usable for detecting unintentional corruption. I use it quite often with dvdsig to check in Windows if a set of files is still ok.

Curiously even a raw sum; Some 8bit BASIC programs have the minimum to verify the sum adds up before running said copied binary data from BASIC to raw hardware.

Regardless, corruption is actually quite common. Little OT history; Back when the first communications were being set up (serial and/or phone) some transfers of data would be fine, but many would have issues, bits flipped in several places. Eventually it was figured out to be noise on the line, but the pattern was fractal in nature, and difficult to predict. Ultimately it was impossible to remove.

So they started adding parity bits, you'd have a start bit, 8 bits of data, then additional parity bits to count even/odd and other tidbits for ECC, if the check failed you just requested the byte again. Finally there's a closing bit to say you're done.

There's tons of ECC built into normal communications, so a few errors are detected and corrected along the way, and only total failures need a repeat; Finally the ECC is discarded and you get the final data. So while very common to have corruption during transmission, a lot of data integrity is invisible to what we end users usually experience. Off hand i think IP4 uses CRC32 is used for basic checks.

While looking up on Error Correct Codes a bit, a paper on the Hubble Satellite they added apparently a 6bit something Solomon-Reed code; Which resulted in being able to use half the power or double the distance in effectiveness since errors during transmission would be detected and corrected. Used on common media, it means scratches on discs and even holes, can remain readable as it transparently fixes said data during reading. (Or it should try at least)

I guess the little TLDR. Errors and corruption is quite common; But the infrastructure and overhead lowers the final product to hopefully be the correct data. Were that not the case, i think the world would be a lot more chaotic.

NEver seen this

It's OK for general testing, but if you want to be certain of a file's integrity you need to use a better hash. md5 has a fair few proven hash collisions now. The chances of these collisions occurring at random is fairly low, but still possible.

Ideally GOG would have progressively moved onto better hashes by now.

Thanks for the info, I wasn't aware of MD5 collisions.

That said, I feel it is one thing to manufacture a collision for a known, quite another to do it for an unknown on-the-fly with a bit of virus code. At least that is my read of it.

I guess it is all about the odds isn't it.

It is one thing to throw a whole lot of files into a check for a collision for an MD5 value, but quite another to have one turn up randomly ... quite astronomical I would think ... more chance of winning the lottery it seems to me.

You are basically saying my download is corrupted, but the MD5 had a collision and so gave a match anyway.

Yeah noticed it too with the Kenshi update 1.68 offline installer. It was 300mb in size instead of 7.1gb. Installed a fishy kenshi.bat file instead of .exe. Certificate was expired too.
So I uploaded it to VirusTotal and contacted support. GOG told me to use GOG galaxy. How useful!

I think I have the installer still on my hard drive can check this if you want and please use a virtualization tool if you're in doubt of the files integrity. Better safe than sorry.

No, that was a bug with Kenshi version 1.0.68 which then got retracted.

https://www.gogdb.org/product/1193046833#changelog See also discussion here:
https://www.gog.com/forum/general/so_is_kenshis_update_problem_gonna_be_fixed_anytime_soon
https://www.reddit.com/r/Kenshi/comments/1bupnpu/comment/kxuzkp1/

Ok thanks for the information I wasn't aware of that. Wrong topic then...

Never mind

So he got downloads likely from two different versions in the middle of downloading?

Well that's a unique situation...

Not that unique. It has happened to me a few times. I even created a thread here about it.

The perils of downloading a large game soon after buying when a new release to the store. No doubt some early downloader reported an issue and the devs rushed to fix and re-upload.

My download program (gogcli.exe) GUI now reports a change of file name from what is in the manifest because of that, because the most recent version is automatically downloaded from GOG. I'm not sure if that always happens with all third party download programs.

Just an unfortunate matter of timing and how long it takes to download all files for some games.

I was just meaning he didn't do anything wrong and indeed basically got 'corrupted' files, since it wasn't what the installer was expecting. Afterall if you look at the offline links, they are something like gog.com/downloads/sacred_2_gold/en1install0 en1install1 en1install2, etc. It's a link and on the back end it serves you the file(s) and full filename. So if they switched a version, your link would still be valid, but may not point to the same thing it did an hour ago.

And only md5 sums or something to identify which version(s) are wrong and need replaced, or just redownload from scratch. Neither is good. Just hope they don't have a limited download plan.

Isn't that exactly what Timboli said? It's the reason why he lets his downloader double-check all received files.

Yes, more or less. But there's a lot of normies who don't know tech that won't know to look at that, hell sometimes for large files i have them download over night or over several days, so i might not notice something is wrong until days (or weeks later) when i go to check on them. I certainly don't have scripts confirming everything is correct after download and double checks the version matches; Then again i don't think i got any games that need hot-fixing in the last few years.