How To Verify the Downloaded Version of Ledger Live - page 2.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: jerry0 on September 25, 2021, 04:42:20 PM

So we have to download it directly from ledger site then no matter what?

You don't need to download anything from Ledger's site just for the sake of updating, but you need to download the installation file whose authenticity you are verifying.

Quote from: jerry0 on September 25, 2021, 04:42:20 PM

But again even though its posted how to check the legit files, i want to make sure I do it right.

The thread and the replies by other members show how to do it right. Don't ask questions for every step of the process. Everything is explained.

Quote from: jerry0 on September 25, 2021, 04:51:33 PM

Has there been even one case of someone downloading ledger live from the correct ledger site and then downloading malware?

I just checked with all people on earth who use Ledger Live. The answer is negative.

Quote from: jerry0 on September 25, 2021, 04:51:33 PM

Again I want to verify the ledger live but all this hash sum and these things... are not that simple. So you need to download a hash on a different site before you download ledger live?

You do it exactly the way it was explained in the OP. That's why it was written in the first place. It wasn't written so that Jerry can ask whether or not it's the right way to do it.

Quote from: jerry0 on September 25, 2021, 04:51:33 PM

I can't imagine for the average user that doing something like this is simple

My condolences.

Quote from: jerry0 on September 25, 2021, 04:51:33 PM

If you just look at that... how do you even know where to look for the hash etc.

By reading what is written on the site from top to bottom. You can do that, right? Click on all of the links and download them to the same folder.

Quote from: jerry0 on September 25, 2021, 09:50:49 PM

Now when i look at verifying the files... we also need to download another program? I see its called hashbit. How do you make sure a program like hashbit is malware free etc?

How have you made sure the other programs on your Windows computer are malware-free? Have you? Have you made sure the Ledger Live app you are using is malware-free? Use Hashbit if you want or try the open-source apps that dkbit98 recommended in one of his replies. Again, read the thread.

jerry0

full member

Activity: 1708

Merit: 185

https://www.ledger.com/ledger-live/download

I am downloading ledger live from the site.

Now when i look at verifying the files... we also need to download another program? I see its called hashbit. How do you make sure a program like hashbit is malware free etc?

Is there a way to check the signature of ledger live without downloading another program? Obviously you first download ledger live from the website... but can you verify it without downloading hashbit? Im using windows ten pro if it matters.

jerry0

full member

Activity: 1708

Merit: 185

Has there been even one case of someone downloading ledger live from the correct ledger site and then downloading malware?

Again I want to verify the ledger live but all this hash sum and these things... are not that simple. So you need to download a hash on a different site before you download ledger live?

I can't imagine for the average user that doing something like this is simple

Ledger site posts this to verify

https://www.ledger.com/ledger-live/lld-signatures

If you just look at that... how do you even know where to look for the hash etc.

jerry0

full member

Activity: 1708

Merit: 185

Okay im going to finally update ledger live.

Again Im still using the old ledger live and that is 2.26.1

Right now it shows Ledger Live 2.33.1.

So anyone here had success upgrading ledger live as is when going from a much older version?

So we have to download it directly from ledger site then no matter what?

Im going to do it later so want to make sure as I will be downloading it from ledger site. But again even though its posted how to check the legit files, i want to make sure I do it right.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Ledger has released version 2.33.1 of their Ledger Live software about a week ago.
This would be a good opportunity to verify the installation binaries and the SHA-512sum hashes if you have never done that before to learn something new maybe.

Maus0728

legendary

Activity: 1876

Merit: 1552

Bitcoin Casino Est. 2013

Quote from: jerry0 on September 05, 2021, 10:42:57 PM

I checked reddit and apparently other people seem to have the same issue. So does one need to download it straight from ledger website or not?

As far as I know, if your Ledger Live is below v2.29.0, the application recommends you to download their latest version from their official website due to major changes^[1]. So I think you should be downloading it on their official site and make sure that you have verified the signature.

[1] Ledger Live 2.29.0 - Windows Users

Quote from: jerry0 on September 05, 2021, 10:42:57 PM

Also even if you are using an older version of ledger live... as long as it show synchronized.... that means your balance is correct right on ledger live?

Yes. The balance you are seeing depends on the accounts added on your Ledger app.

jerry0

full member

Activity: 1708

Merit: 185

Well... can anyone here confirm if it can still be downloaded on the ledger live app or not?

It has the

Update to Ledger Live Version 2.32.2 is available

When I click download update, it does show downloading update... but it takes a very long time and nothing seem to do anything? I had tried to download it... then I notice because i was idle on my computer, well ledger live would automatically sign you off etc. So i go and sign back on... then download update, make sure i move my mouse frequently to make sure ledger live doesn't sign off... still downloading.

Previously any ledger live update I clicked on when using ledger live... it was pretty quick.

I checked reddit and apparently other people seem to have the same issue. So does one need to download it straight from ledger website or not? Or does anyone have an estimated time of how long it takes to download this update? As you know when you download the update straight from ledger live... it doesn't show you like how much percentage of it has been downloaded etc... so you just wait.

Also even if you are using an older version of ledger live... as long as it show synchronized.... that means your balance is correct right on ledger live?

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: HCP on September 04, 2021, 04:39:51 PM

As I mentioned earlier, Ledger Live claim that it is automatically verifying the download for you when you use the update button...

Quote from: https://www.ledger.com/ledger-live/lld-signatures

What about automatic updates

The update mechanism is secured once you've verified and installed Ledger Live. Ledger Live checks each upcoming update against Ledger's public key to verify that the update is legitimately from Ledger.

I understood the bolded part as a suggestion to users to still verify one instance of Ledger Live before they install it. After that, Ledger will carry out the other checks for all future updates. But you know the saying: Don't verify, update!" It shouldn't matter what Ledger says.

Quote from: jerry0 on September 04, 2021, 07:07:59 PM

But its taking a very long time. Is this normal?

Yes, it's normal (he said hoping you would stop asking unnecessary questions). Just make sure you have a priest present in the room to provide your software with the needed blessings. He should also be able to speed up the download time.

Quote from: jerry0 on September 04, 2021, 07:07:59 PM

Again I haven't did any ledger live update through ledger live in months, etc., etc., etc.

Oh good. It's been almost a day and I was worried that you wouldn't tell us that you haven't done any Ledger Live updates in months. Thanks for that. See you tomorrow where I expect you to tell us how long and why you haven't done any Ledger Live updates.

jerry0

full member

Activity: 1708

Merit: 185

Okay so I clicked on update now on ledger live.

Its showing

Downloading update...

But its taking a very long time. Is this normal? Again I haven't did any ledger live update through ledger live in months since last time it was mentioned you had to do it through the website so I didn't do it for months.

Previously whenever I click on update in top right corner of ledger live, it was very fast and then I clicked on download now etc.

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: Pmalek on September 04, 2021, 02:58:27 AM

How would that verify anything? The update button does what its name suggests. It updates the software to the newest release. You have to do the verification yourself as explained in the OP.

As I mentioned earlier, Ledger Live claim that it is automatically verifying the download for you when you use the update button...

Quote from: https://www.ledger.com/ledger-live/lld-signatures

What about automatic updates

The update mechanism is secured once you've verified and installed Ledger Live. Ledger Live checks each upcoming update against Ledger's public key to verify that the update is legitimately from Ledger.

So, theoretically, there is no need to verify anything if you use the "in app" update button... you only need to manually verify the installers that are downloaded manually.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: jerry0 on September 04, 2021, 01:41:13 AM

Hey. Well back then, I always clicked on the update on the top right corner in ledger live whenever i saw an update available. I always did this until few month ago when there was a ledger live update and people said you had to download it directly from the ledger website... so because of that... I didn't want to do it.

I really have to ask... Are you receiving regular and repeated blows to your head or something? Click the update button to update your version of Ledger live, what's wrong with you?

Quote from: jerry0 on September 04, 2021, 01:41:13 AM

You can't verify the download when clicking on top right corner of update on ledger live right?

How would that verify anything? The update button does what its name suggests. It updates the software to the newest release. You have to do the verification yourself as explained in the OP.

jerry0

full member

Activity: 1708

Merit: 185

Hey. Well back then, I always clicked on the update on the top right corner in ledger live whenever i saw an update available. I always did this until few month ago when there was a ledger live update and people said you had to download it directly from the ledger website... so because of that... I didn't want to do it.

So to confirm... just updating right now on the top right corner on ledger live would never be an issue right? Again, that is how i always used to update ledger live whenever i open ledger live and there is update available, i always update. But because of what happened last time, i just decided to wait.

You can't verify the download when clicking on top right corner of update on ledger live right?

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: jerry0 on August 30, 2021, 12:21:32 AM

You are asking the same questions and coming to the same conclusions like you did yesterday. If the update Ledger Live button is available on your computer and current version of LL, just click on it and update to the newest version. I wasn't joking when I said it yesterday. If you feel like verifying the authenticity of the downloaded software, just follow the step-by-step instructions in my OP. It's simple.

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: jerry0 on August 30, 2021, 12:21:32 AM

Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.

It's really easy to verify the download... Ledger have all the information here: https://www.ledger.com/ledger-live/lld-signatures

The first page of this thread gives plenty of details on how to go about doing it.

Quote from: o_e_l_e_o on August 30, 2021, 04:10:05 AM

An attacker who can compromise the Ledger website and make it link to a malicious download could equally compromise whichever server Ledger Live connects to when you hit the "Update" button and make that point towards a piece of malicious software too.

With any piece of software, just downloading it from the "correct" source (while good practice) is never enough to ensure your safety. You should always verify it against the developer's keys or hashes.

And then Ledger say things like this:

Quote from: https://www.ledger.com/ledger-live/lld-signatures

What about automatic updates

The update mechanism is secured once you've verified and installed Ledger Live. Ledger Live checks each upcoming update against Ledger's public key to verify that the update is legitimately from Ledger.

Seems they've set up Ledger Live to automatically authenticate any updates that it downloads... so, theoretically, once you've verified the installer once, you shouldn't need to do it again if you're using the in-app update mechanism... Would be interesting to see how robust this actually is. Huh

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: jerry0 on August 30, 2021, 12:21:32 AM

Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.

An attacker who can compromise the Ledger website and make it link to a malicious download could equally compromise whichever server Ledger Live connects to when you hit the "Update" button and make that point towards a piece of malicious software too.

With any piece of software, just downloading it from the "correct" source (while good practice) is never enough to ensure your safety. You should always verify it against the developer's keys or hashes.

jerry0

full member

Activity: 1708

Merit: 185

Well I remember few months ago, there was a ledger live update and it was mentioned you could not download the update like normal by clicking on update now on ledger live program and had to go directly to ledger.com site in order to do the update. Isn't that true?

Because of that, I didn't do any ledger live update since then. Previously before this, i always click update on the top right corner in ledger live.

So its confirmed... you can do this now? But a while back, you couldn't... correct?

Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.

Thanks.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: jerry0 on August 28, 2021, 08:58:11 PM

Im still using the older version of ledger live as i haven't updated it in a few months because i remember people said you couldn't just click download update on the top right corner when you open ledger live and needed to go directly to ledger site to download the new ledger live update.

Why would that present a problem to you? You could have gotten the updates from the official site like everyone else.

Quote from: jerry0 on August 28, 2021, 08:58:11 PM

Is this still true or not? Before this, I always slick download update and then it updated to newest version of ledger ilve. When i open ledger live, i see message of Update to Ledger Live version 2.32.2. Can you just click on download update like I did back then... or do i need to go directly to ledger site to do it?

If the option to update through the app is available again and you can click on the button, just do it. There is no need to download it manually from the official site then.

Quote from: jerry0 on August 28, 2021, 08:58:11 PM

Also I haven't connected my ledger live to my laptop in few months.

You mean Ledger Nano S. Ledger Live is a piece of software, your hardware wallet is called Nano S.

Quote from: jerry0 on August 28, 2021, 08:58:11 PM

Is it fine to connect it to the laptop while still using the older version of ledger live?

Yes that's fine.

Quote from: jerry0 on August 28, 2021, 09:00:29 PM

Also even though I never downloaded the newest version of ledger live... everytime i sign in ledger live, it does show synchronized in the top right corner. So if you never updated never live but it does shown synchronize... your balance should always be correct right?

The app checks the blockchain for any new transactions that could have been made, that's why it's synching. It will do that from older versions of the app as well unless the team decides otherwise.

@jerry0
This thread is about how to verify the authenticity of Ledger Live. I would appreciate if you keep the discussions on topic. If you have other questions, make a new thread or post in one of your old ones.

jerry0

full member

Activity: 1708

Merit: 185

Also even though I never downloaded the newest version of ledger live... everytime i sign in ledger live, it does show synchronized in the top right corner. So if you never updated never live but it does shown synchronize... your balance should always be correct right?

jerry0

full member

Activity: 1708

Merit: 185

Im still using the older version of ledger live as i haven't updated it in a few months because i remember people said you couldn't just click download update on the top right corner when you open ledger live and needed to go directly to ledger site to download the new ledger live update. Is this still true or not? Before this, I always slick download update and then it updated to newest version of ledger ilve.

When i open ledger live, i see message of

Update to Ledger Live version 2.32.2

Can you just click on download update like I did back then... or do i need to go directly to ledger site to do it?

Also I haven't connected my ledger live to my laptop in few months. Is it fine to connect it to the laptop while still using the older version of ledger live? Or should one always have the updated version of ledger live first before connecting the nano ledger s to it? Back then, i always downloaded any updates on ledger live since it was as simple as click download update on top right corner of ledger live.

HCP

legendary

Activity: 2086

Merit: 4314

There is also a Get-FileHash applet in Windows PowerShell... it's actually the one mentioned on the Ledger site showing how to verify it... they just didn't make it obvious it was for PowerShell! Roll Eyes

:

Quote from: https://www.ledger.com/ledger-live/lld-signatures

Get-FileHash ledger-live-desktop-2.32.2-win.exe -Algorithm SHA512

That will also generate the SHA512 hash... unfortunately, it doesn't format the output very well and tends to truncate the hash output! Roll Eyes

But, as luck would have it... a minor addition to the command will work wonders:

Code:

Get-FileHash ledger-live-desktop-2.32.2-win.exe -Algorithm SHA512 | Format-Table -Wrap

or

Code:

Get-FileHash ledger-live-desktop-2.32.2-win.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap

Topic: How To Verify the Downloaded Version of Ledger Live - page 2. (Read 604 times)