Topic: How To Verify the Downloaded Version of Ledger Live (Read 604 times)

The lack of information and instructions was like that from the beginning. I doubt they will do much to improve it. But just follow the recommendations in this thread and you will get there. It's a bad security practice to store all the files at the same place, but taking shortcuts seems to be a normal part of Ledger's business model.

I don't know what Ledger folks are doing. I expect a checksum or link to a checksums page in the proximity of a download link and cherry on top is when there's a link to a thorough explanation on how to verify the checksum and integrity of the download properly.

That's the first time I am seeing that source. I am also not a fan of browsing reddit and I wasn't aware that it was being recommended there. Maybe btchip promoting it as a temporary solution while they complete their migration. It's interesting that the site you posted isn't mentioned in Ledger's official support documentation that explains how to verify the authenticity of Ledger Live even though the last update was on 29 June 2022.

The article mentions downloading and verifying version 2.42 of LL and then using the in-app update feature to upgrade to the newest version. https://ledger-live.vercel.app/lld-signatures isn't mentioned.   

So it took them approx. from end of May until end of July to fix the important checksums page https://www.ledger.com/ledger-live/lld-signatures on their own website? (I wouldn't consider https://ledger-live.vercel.app/lld-signatures as a valid source for the current checksums as posted by this moderator btchip on reddit who's flagged as Ledger co-founder; ridiculous security policy).
Until yesterday or day before yesterday https://www.ledger.com/ledger-live/lld-signatures was stuck at v2.42 as last available checksums.

The Ledger folks have some strange priorities.

It is again possible to verify the installation binaries of Ledger Live by following the instructions in OP and using the data available on https://www.ledger.com/ledger-live/lld-signatures just like in the past. Since Ledger migrated to a new GitHub repository, they didn't update the site with the sha512 hashes and signatures for the new releases, but now it's available again.

Since the old GitHub site with release notes isn't maintained anymore, you can now see what's new in the new versions by going to https://support.ledger.com/hc/en-us/articles/360020773319-What-s-new-in-Ledger-Live-?docs=true.

Yea what he posted is how HCP suggested to check ledger live. 

Another thing that I realized with the Ledger Live download signatures page is that they removed the links to download the Windows version of Ledger Live. When I initially created this thread, it was still available. While going through the older versions from the dropdown menu, the last release whose Windows link was posted was v2.34.4. Starting from 2.35.0 and onwards, there are only download links for MAC and Linux.

Doesn't really make sense to me. Having them all there would make it easier to download all the needed files for the verification.

Yeah, I hope he'll be satisfied with the answer...  And I hope he remembers it months from now when Ledger issues another update.  

That OpenSSL signature has been bugging me for a while now, it was like an itch I needed to scratch.  I'm still not satisfied that I couldn't use PowerShell to verify it, but I've got more pressing matters today: There's a prime rib that needs to be BBQ'd.

Happy New Year, all.

Nice of you to chip in. So Jerry PMed you as well. I guess there are very few people who weren't contacted by him with the same questions.
If you PMed him with the same exact instructions, he is now going to ask you about each step and ask if that is the best way to do it and if everyone else does it that way as well. I can't figure out why he needs instructions in a thread that has provided those instructions by myself and other users who have chipped in and explained various ways to do it.

@jerry0 contacted me via PM to help with this, sorry it took me so long to get to it.  I haven't used my Ledger wallets in over a year.  Therefore, I haven't had LedgerLive installed on my system, but I went ahead and downloaded the latest version and set about to verify it.

I found Ledger's instructions on how to verify the checksums here: https://www.ledger.com/ledger-live/lld-signatures

I downloaded the .pem file, the .sig file, and the .sha512sum file (saved with a .txt extension.)  The first thing I noticed is that the checksums file is signed with an OpenSSL key, not GPG.  Being a Windows user myself, this created a roadblock right away.  I don't have much experience with OpenSSL, let alone OpenSSL in Windows, so I didn't know how to verify the signature.  I installed the OpenSSL module that's available through PowerShell package manager, but it doesn't appear to provide a command to validate signatures.  I found a third-party package manager that claims to have a module called "OpenSSL.Light" which again claims to work similar to OpenSSL commands on Linux.  I didn't install it, because I don't want a third-party anything installed on my system.  So, I gave up and used WSL to validate the signature.

In WSL I browsed to the directory where I had saved all the files, and ran this command:




Kind of a shitty thing to do to Windows users, in my opinion.  Why not just use GPG like almost all of the other software vendors in the cryptocurrency space?  I've been displeased with Ledger for a variety of reasons, and this ain't helping win me back.  Not to mention the lack of security: The OpenSSL certificate, the signature file, and the checksums file are all hosted on the same server.  What could go wrong?

---

Once that was done the rest of it went fairly smoothly.  Now that I've confirmed the checksum file was signed with the OpenSSL certificate provided by Ledger I can check the SHA512 hash of the executable file.  I was able to do so in PowerShell like I normally do.

I prefer to use CertUtil to check hash sums:




The instructions on Ledger's web page suggest to use the Get-FileHash command, like this:


But that's not great.  As you can see below, when using that command it truncates the results, only showing a portion of the hash.  As HCP suggested earlier in this thread you can add "| Format-Table -Wrap" to the end of the command, and the complete results will be displayed.  Here's the full command:

---

@jerry0 was concerned because the result he got were all in capitol letters.  As you can see above, the hash sum is the same regardless of which utility you use, but Get-FileHash displays the results with all capitol letters, while CertUtil provides the results with all lower-case letters.  It doesn't appear that the hash sum is case-sensitive.

I never used Powershell for the verification. I did it precisely as explained in the OP and used OpenSSL. The SHA512 string you pasted is not in capital letters. But even if it is, I don't see a reason to worry if you are getting the correct data.

That's just the location where the downloaded files are that were used for the verification. It was probably there the last time you did it as well, you just don't remember it. Shouldn't be a reason to worry.

I did the step HCP recommended a while back.  



When I typed this in windows powershell...


Get-FileHash ledger-live-desktop-2.36.3-win-x64.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap




It is suppose to show this after you click enter to confirm it matches.


70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf






It shows below which is the correct letters and numbers... except how come what I bolded below is all in CAPITAL LETTERS?  Can someone here confirm this?  Last time when I did this with an earlier version of ledger live, I was pretty sure it was all in lowercase.  But now its all in uppercase?  



SHA512 - 70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf




Also to the right of the bolded above... I see Path C:/users/jerry0/downloads/ledger-live-desktop-2.36.3-win-x64.exe.  I don't recall seeing this few months ago when I did this test with windows powershell to verify ledger live?  Just want to make sure before I install it.

Nothing has changed and the procedure is still the same last time I checked. My last LL update was less than a month ago.
I am not sure what you read on reddit. This guide is for Windows, and I tested it on my Windows PC. I don't have a MAC, so I wouldn't know. You use Windows as well, so don't worry about MACs. 

Okay well actually I will come back to this thread.  Reason being I have to do a install of ledger live again.  But the process is still the same right?


I also read on reddit recently that apparently the code for it was not the same?  But I heard this was only with MAC devices?

Monthly bump

Thanks.


HCP helped me with this and it confirms its legit download.

Don't worry about the security notification. It happens sometimes when you download something from the internet in Windows. If the file is blocked, you can unblock it yourself. Right click on the file, go to Properties > General, and at the bottom of the screen where you see the security notification there should be an option that says Unblock. Click on it to unblock it if needed and press OK.

No, don't do it like that. If you open PowerShell like that, you will have to manually navigate to the destination folder. HCP explained what you should do. After you have downloaded every single item from https://www.ledger.com/ledger-live/lld-signatures and saved them in the same folder, open that folder on your PC. Hold down the shift button on your keyboard while your press the right button on your mouse and click on "Open PowerShell window here". After that, follow the instructions you found.

I just downloaded ledger live from ledger site.


One thing i noticed was when i looked at it file without opening it... i right click it and properties.  I notice in the general tab which it opens up...


The bottom shows


Security  This file came from another computer and might be blocked to help protect this computer.



Did any of you also have this message in the ledger live 2.33.1 download?  I took a look at the old ledger live desktop i downloaded which was 2.26.1 and when I right click it and properties, I don't notice that message.




I am going to do HCP method of verifying the signature and could appreciate if someone could clear everything up.



Do I just click on the start menu and type in powershell and then click on windows powershell or right click and run as admin on windows power shell?



Then once I do that


I see a blue screen that shows


Windows Powershell
Copyright (C) Microsoft Corporation.  All rights reserved.

Try the new cross-platform powershell  https://aka.ms/pscore6


PS C:Users/jerry0>


Then press spacebar once... and then type this and enter?


Get-FileHash ledger-live-desktop-2.33.1-win.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap





I just want to make sure of this before I continue as that security message file came from another computer... i never seen before.  Can you guys confirm this is the correct way to do it without downloading the hashbit etc?


Thing that has me confused is HCP says


You just need to make sure you're in the folder where the .exe is located... if you use Explorer... goto the folder where you downloaded the .exe and then hold down the SHIFT key and right click in an empty space (not on a file or folder) in the window... you should see an option that says "Open PowerShell window here":

So check the authenticity with PowerShell, that's ok. That's why I told you to read the thread, all the instructions are in the OP and the replies underneath it. If there is a post saying you can do it with PowerShell and explains how to, just follow the instructions and don't ask if that is the way the rest of the world does it.

Well there you go, what more do you want? 

You are not an average user. I think everyone will agree with me that there isn't a single member on this forum like you. It shouldn't matter what other people do. Do it if you want to or don't. It's like with Electrum signatures. You verify them to be certain that the software was created and signed by the development teams it's claimed it originates from. If you don't care, don't do it. It's that simple.

What do you want me to do about it? What do you want the Bitcointalk community to do about that?
Again, my condolences. I will keep you in my prayers and ask God to simplify the authentification process for you.

Well HCP tells me i could do the check with powershell in windows ten and i do not have to download hashtag... which is something i like to hear.


Well he and someone else told me he never heard of one instance of someone downloading ledger live from ledger official site and it being malware as long as its ledgers site.  I mean... does the average user who uses a hardware wallet even does the signature thing?


Checking the signature as explained in ledger live ... the way they wrote it... isn't that simple.  It isn't like... okay download the program.  Before you open it... right click it and check properties and make sure it shows exactly this... like what is shown in the picture here...