Pages:
Author

Topic: How To Verify the Downloaded Version of Ledger Live - page 2. (Read 698 times)

legendary
Activity: 2730
Merit: 7065
So we have to download it directly from ledger site then no matter what?
You don't need to download anything from Ledger's site just for the sake of updating, but you need to download the installation file whose authenticity you are verifying. 

But again even though its posted how to check the legit files, i want to make sure I do it right.
The thread and the replies by other members show how to do it right. Don't ask questions for every step of the process. Everything is explained.

Has there been even one case of someone downloading ledger live from the correct ledger site and then downloading malware?
I just checked with all people on earth who use Ledger Live. The answer is negative.

Again I want to verify the ledger live but all this hash sum and these things... are not that simple.  So you need to download a hash on a different site before you download ledger live?
You do it exactly the way it was explained in the OP. That's why it was written in the first place. It wasn't written so that Jerry can ask whether or not it's the right way to do it.

I can't imagine for the average user that doing something like this is simple
My condolences.

If you just look at that... how do you even know where to look for the hash etc.
By reading what is written on the site from top to bottom. You can do that, right? Click on all of the links and download them to the same folder.

Now when i look at verifying the files... we also need to download another program?   I see its called hashbit.  How do you make sure a program like hashbit is malware free etc?
How have you made sure the other programs on your Windows computer are malware-free? Have you? Have you made sure the Ledger Live app you are using is malware-free? Use Hashbit if you want or try the open-source apps that dkbit98 recommended in one of his replies. Again, read the thread.   
full member
Activity: 1792
Merit: 186
https://www.ledger.com/ledger-live/download


I am downloading ledger live from the site.


Now when i look at verifying the files... we also need to download another program?   I see its called hashbit.  How do you make sure a program like hashbit is malware free etc?


Is there a way to check the signature of ledger live without downloading another program?  Obviously you first download ledger live from the website... but can you verify it without downloading hashbit?  Im using windows ten pro if it matters.
full member
Activity: 1792
Merit: 186
Has there been even one case of someone downloading ledger live from the correct ledger site and then downloading malware?


Again I want to verify the ledger live but all this hash sum and these things... are not that simple.  So you need to download a hash on a different site before you download ledger live?


I can't imagine for the average user that doing something like this is simple




Ledger site posts this to verify

https://www.ledger.com/ledger-live/lld-signatures




If you just look at that... how do you even know where to look for the hash etc.
full member
Activity: 1792
Merit: 186
Okay im going to finally update ledger live.


Again Im still using the old ledger live and that is 2.26.1


Right now it shows Ledger Live 2.33.1.


So anyone here had success upgrading ledger live as is when going from a much older version?


So we have to download it directly from ledger site then no matter what?


Im going to do it later so want to make sure as I will be downloading it from ledger site.  But again even though its posted how to check the legit files, i want to make sure I do it right.


legendary
Activity: 2730
Merit: 7065
Ledger has released version 2.33.1 of their Ledger Live software about a week ago.
This would be a good opportunity to verify the installation binaries and the SHA-512sum hashes if you have never done that before to learn something new maybe.
legendary
Activity: 1904
Merit: 1563
I checked reddit and apparently other people seem to have the same issue.  So does one need to download it straight from ledger website or not?
As far as I know, if your Ledger Live is below v2.29.0, the application recommends you to download their latest version from their official website due to major changes[1]. So I think you should be downloading it on their official site and make sure that you have verified the signature.

[1] Ledger Live 2.29.0 - Windows Users

Also even if you are using an older version of ledger live... as long as it show synchronized.... that means your balance is correct right on ledger live?
Yes. The balance you are seeing depends on the accounts added on your Ledger app.
full member
Activity: 1792
Merit: 186
Well... can anyone here confirm if it can still be downloaded on the ledger live app or not?


It has the


Update to Ledger Live Version 2.32.2 is available



When I click download update, it does show downloading update... but it takes a very long time and nothing seem to do anything?  I had tried to download it... then I notice because i was idle on my computer, well ledger live would automatically sign you off etc.  So i go and sign back on... then download update, make sure i move my mouse frequently to make sure ledger live doesn't sign off... still downloading.



Previously any ledger live update I clicked on when using ledger live... it was pretty quick. 



I checked reddit and apparently other people seem to have the same issue.  So does one need to download it straight from ledger website or not?  Or does anyone have an estimated time of how long it takes to download this update?  As you know when you download the update straight from ledger live... it doesn't show you like how much percentage of it has been downloaded etc... so you just wait.



Also even if you are using an older version of ledger live... as long as it show synchronized.... that means your balance is correct right on ledger live?
legendary
Activity: 2730
Merit: 7065
As I mentioned earlier, Ledger Live claim that it is automatically verifying the download for you when you use the update button...

What about automatic updates

The update mechanism is secured once you've verified and installed Ledger Live. Ledger Live checks each upcoming update against Ledger's public key to verify that the update is legitimately from Ledger.
I understood the bolded part as a suggestion to users to still verify one instance of Ledger Live before they install it. After that, Ledger will carry out the other checks for all future updates. But you know the saying: Don't verify, update!" It shouldn't matter what Ledger says.

But its taking a very long time.  Is this normal?
Yes, it's normal (he said hoping you would stop asking unnecessary questions). Just make sure you have a priest present in the room to provide your software with the needed blessings. He should also be able to speed up the download time.   

Again I haven't did any ledger live update through ledger live in months, etc., etc., etc.
Oh good. It's been almost a day and I was worried that you wouldn't tell us that you haven't done any Ledger Live updates in months. Thanks for that. See you tomorrow where I expect you to tell us how long and why you haven't done any Ledger Live updates.
full member
Activity: 1792
Merit: 186
Okay so I clicked on update now on ledger live.


Its showing


Downloading update...



But its taking a very long time.  Is this normal?  Again I haven't did any ledger live update through ledger live in months since last time it was mentioned you had to do it through the website so I didn't do it for months.


Previously whenever I click on update in top right corner of ledger live, it was very fast and then I clicked on download now etc.
HCP
legendary
Activity: 2086
Merit: 4363
How would that verify anything? The update button does what its name suggests. It updates the software to the newest release. You have to do the verification yourself as explained in the OP. 
As I mentioned earlier, Ledger Live claim that it is automatically verifying the download for you when you use the update button...

What about automatic updates

The update mechanism is secured once you've verified and installed Ledger Live. Ledger Live checks each upcoming update against Ledger's public key to verify that the update is legitimately from Ledger.

So, theoretically, there is no need to verify anything if you use the "in app" update button... you only need to manually verify the installers that are downloaded manually.
legendary
Activity: 2730
Merit: 7065
Hey.  Well back then, I always clicked on the update on the top right corner in ledger live whenever i saw an update available.  I always did this until few month ago when there was a ledger live update and people said you had to download it directly from the ledger website... so because of that... I didn't want to do it.
I really have to ask... Are you receiving regular and repeated blows to your head or something? Click the update button to update your version of Ledger live, what's wrong with you?

You can't verify the download when clicking on top right corner of update on ledger live right?
How would that verify anything? The update button does what its name suggests. It updates the software to the newest release. You have to do the verification yourself as explained in the OP. 
full member
Activity: 1792
Merit: 186
Hey.  Well back then, I always clicked on the update on the top right corner in ledger live whenever i saw an update available.  I always did this until few month ago when there was a ledger live update and people said you had to download it directly from the ledger website... so because of that... I didn't want to do it.


So to confirm... just updating right now on the top right corner on ledger live would never be an issue right?  Again, that is how i always used to update ledger live whenever i open ledger live and there is update available, i always update.  But because of what happened last time, i just decided to wait. 



You can't verify the download when clicking on top right corner of update on ledger live right?
legendary
Activity: 2730
Merit: 7065
You are asking the same questions and coming to the same conclusions like you did yesterday. If the update Ledger Live button is available on your computer and current version of LL, just click on it and update to the newest version. I wasn't joking when I said it yesterday. If you feel like verifying the authenticity of the downloaded software, just follow the step-by-step instructions in my OP. It's simple.
HCP
legendary
Activity: 2086
Merit: 4363
Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.
It's really easy to verify the download... Ledger have all the information here: https://www.ledger.com/ledger-live/lld-signatures

The first page of this thread gives plenty of details on how to go about doing it.


An attacker who can compromise the Ledger website and make it link to a malicious download could equally compromise whichever server Ledger Live connects to when you hit the "Update" button and make that point towards a piece of malicious software too.

With any piece of software, just downloading it from the "correct" source (while good practice) is never enough to ensure your safety. You should always verify it against the developer's keys or hashes.
And then Ledger say things like this:
What about automatic updates

The update mechanism is secured once you've verified and installed Ledger Live. Ledger Live checks each upcoming update against Ledger's public key to verify that the update is legitimately from Ledger.

Seems they've set up Ledger Live to automatically authenticate any updates that it downloads... so, theoretically, once you've verified the installer once, you shouldn't need to do it again if you're using the in-app update mechanism... Would be interesting to see how robust this actually is. Huh
legendary
Activity: 2268
Merit: 18771
Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.
An attacker who can compromise the Ledger website and make it link to a malicious download could equally compromise whichever server Ledger Live connects to when you hit the "Update" button and make that point towards a piece of malicious software too.

With any piece of software, just downloading it from the "correct" source (while good practice) is never enough to ensure your safety. You should always verify it against the developer's keys or hashes.
full member
Activity: 1792
Merit: 186
Well I remember few months ago, there was a ledger live update and it was mentioned you could not download the update like normal by clicking on update now on ledger live program and had to go directly to ledger.com site in order to do the update.  Isn't that true?


Because of that, I didn't do any ledger live update since then.  Previously before this, i always click update on the top right corner in ledger live. 



So its confirmed... you can do this now?  But a while back, you couldn't... correct?



Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.



Thanks.
legendary
Activity: 2730
Merit: 7065
Im still using the older version of ledger live as i haven't updated it in a few months because i remember people said you couldn't just click download update on the top right corner when you open ledger live and needed to go directly to ledger site to download the new ledger live update.
Why would that present a problem to you? You could have gotten the updates from the official site like everyone else.  

Is this still true or not?   Before this, I always slick download update and then it updated to newest version of ledger ilve. When i open ledger live, i see message of Update to Ledger Live version 2.32.2. Can you just click on download update like I did back then... or do i need to go directly to ledger site to do it?
If the option to update through the app is available again and you can click on the button, just do it. There is no need to download it manually from the official site then.


Also I haven't connected my ledger live to my laptop in few months.
 You mean Ledger Nano S. Ledger Live is a piece of software, your hardware wallet is called Nano S.

Is it fine to connect it to the laptop while still using the older version of ledger live?
Yes that's fine.

Also even though I never downloaded the newest version of ledger live... everytime i sign in ledger live, it does show synchronized in the top right corner.  So if you never updated never live but it does shown synchronize... your balance should always be correct right?
The app checks the blockchain for any new transactions that could have been made, that's why it's synching. It will do that from older versions of the app as well unless the team decides otherwise.

@jerry0
This thread is about how to verify the authenticity of Ledger Live. I would appreciate if you keep the discussions on topic. If you have other questions, make a new thread or post in one of your old ones.
full member
Activity: 1792
Merit: 186
Also even though I never downloaded the newest version of ledger live... everytime i sign in ledger live, it does show synchronized in the top right corner.  So if you never updated never live but it does shown synchronize... your balance should always be correct right? 
full member
Activity: 1792
Merit: 186
Im still using the older version of ledger live as i haven't updated it in a few months because i remember people said you couldn't just click download update on the top right corner when you open ledger live and needed to go directly to ledger site to download the new ledger live update.  Is this still true or not?   Before this, I always slick download update and then it updated to newest version of ledger ilve.


When i open ledger live, i see message of



Update to Ledger Live version 2.32.2   



Can you just click on download update like I did back then... or do i need to go directly to ledger site to do it?



Also I haven't connected my ledger live to my laptop in few months.  Is it fine to connect it to the laptop while still using the older version of ledger live?  Or should one always have the updated version of ledger live first before connecting the nano ledger s to it?  Back then, i always downloaded any updates on ledger live since it was as simple as click download update on top right corner of ledger live.



HCP
legendary
Activity: 2086
Merit: 4363
There is also a Get-FileHash applet in Windows PowerShell... it's actually the one mentioned on the Ledger site showing how to verify it... they just didn't make it obvious it was for PowerShell! Roll Eyes:
Get-FileHash ledger-live-desktop-2.32.2-win.exe -Algorithm SHA512

That will also generate the SHA512 hash... unfortunately, it doesn't format the output very well and tends to truncate the hash output! Roll Eyes Undecided



But, as luck would have it... a minor addition to the command will work wonders:
Code:
Get-FileHash ledger-live-desktop-2.32.2-win.exe -Algorithm SHA512 | Format-Table -Wrap



or
Code:
Get-FileHash ledger-live-desktop-2.32.2-win.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap

Pages:
Jump to: