Pages:
Author

Topic: How To Verify the Downloaded Version of Ledger Live - page 3. (Read 678 times)

copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
Windows has a built-in certificate utility that can be used to calculate SHA512 sums.  Here's an example of how to use it to find the checksum of the hashfile.  You can use the same tool to calculate SHA256 and MD5 sums also.  Just change the sha512 at the end of the command to sha256 or md5 to obtain those sums.

Code:
CertUtil -hashfile C:\path\to\file\ledger-live-desktop-2.32.2-win.exe sha512

HCP
legendary
Activity: 2086
Merit: 4361
I did notice a significant difference in size. The Windows installer I downloaded from the wiki source is 63MB, while the curl 7.78.0 for Windows is only 5MB.

There is a 3MB "Light" installer available on the slproweb.com download page. As per the notes, it's the recommended one for "users":
I guess the first source contains many more libraries and/or tools while curl.se only comes with the basic package.    
Yes, I would concur... the 63MB one probably includes full source, libs and other tools that are useful/needed by software developers, but are not strictly necessary to just "use" OpenSSL.
legendary
Activity: 2730
Merit: 7065
The OpenSSL Wiki actually has a list with a number of sites for getting Windows Binaries: https://wiki.openssl.org/index.php/Binaries
Thanks for the list. The OpenSSL wiki has the site I used and recommended placed on top, so everything is good. I did notice a significant difference in size. The Windows installer I downloaded from the wiki source is 63MB, while the curl 7.78.0 for Windows is only 5MB. I guess the first source contains many more libraries and/or tools while curl.se only comes with the basic package.   
HCP
legendary
Activity: 2086
Merit: 4361
Same here. Although Kleopatra is supposed to support .pem files, there seems to be a compatibility issue and it can't be imported as you realized as well.
Kleopatra does support .pem files. I believe the issue is that the public key that Ledger Live are using, is an OpenSSL public key... and not a PGP/GPG public key.

As Kleopatra is GPG based, it fails. Kinda like trying to use an ETH address in a BTC client Wink


There are Windows installers for OpenSSL here. This site was suggested on a few forums as a source to get hold of OpenSSL without having to compile it yourself.
The OpenSSL Wiki actually has a list with a number of sites for getting Windows Binaries: https://wiki.openssl.org/index.php/Binaries

I just used the curl.se one because it was one I had stumbled across previously and knew that it worked Wink
legendary
Activity: 2730
Merit: 7065
As far as I can tell... the .pem file from Ledger (which is their public key), is not importable into Kleopatra. Undecided

I just get a "BER Error" when attempting to import this public key
Same here. Although Kleopatra is supposed to support .pem files, there seems to be a compatibility issue and it can't be imported as you realized as well.

So, for windows, I downloaded the "precompiled openssl binaries"[1] from here: https://curl.se/windows/
There are Windows installers for OpenSSL here. This site was suggested on a few forums as a source to get hold of OpenSSL without having to compile it yourself.

The Ledger files can be anywhere, as long as they are in the same folder. You just need to configure OpenSSL to the correct directory and it will work.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I did get the Openssl software on my computer but I don't know how to work with it unfortunately.

I never tried OpenSSL for Windows, but AFAIK all you need to do are putting all file on same folder and run this command. If your cmd can't find openssl, you need to add folder which contain openssl to PATH variable (see https://helpdeskgeek.com/windows-10/add-windows-path-environment-variable/).

Code:
openssl dgst -sha256 -verify ledgerlive.pem -signature ledger-live-desktop-2.32.2.sha512sum.sig ledger-live-desktop-2.32.2.sha512sum
HCP
legendary
Activity: 2086
Merit: 4361
As far as I can tell... the .pem file from Ledger (which is their public key), is not importable into Kleopatra. Undecided

I just get a "BER Error" when attempting to import this public key:



As far as I can tell, it's just not compatible with GPG... seems they're using openssl, and not GPG.


So, for windows, I downloaded the "precompiled openssl binaries"[1] from here: https://curl.se/windows/
Then I extracted the contents of that archive to C:\OpenSSL (to make life easier)... and then put the .pem, the .sha512sum and the .sig file in there as well.

Then used the openssl commandline as per the Ledger website:
Code:
openssl.exe dgst -sha256 -verify ledgerlive.pem -signature ledger-live-desktop-2.32.2.sha512sum.sig ledger-live-desktop-2.32.2.sha512sum



As you can see, I got the "Verified OK" message.



As mentioned, WSL (Windows Subsystem for Linux) is available on Windows 10 and gives you the ability to install several linux distros and open up a linux terminal. (sidenote: WSL2 on Windows 11 even has support for running Linux GUI apps! Shocked)

So, that's also an option.


[1] I don't currently have access to my dev machine, otherwise I would have downloaded and compiled the source myself.
legendary
Activity: 2730
Merit: 7065
I finally got the "Verified OK" notification for the SHA512 hash with OpenSSL. I haven't worked with this software in the past, so I had problems navigating to the correct path destination.

For those who want to try, the correct command is: cd followed by the path location. For example, if the folder with the downloaded Ledger files is on your Desktop, you would enter something like this:
Code:
cd Users\YourUsername\Desktop\Name of the Folder

For example:
cd \Users\Pmalek\Desktop\Ledger
legendary
Activity: 1134
Merit: 1598
I think there's one more way to do it. I know you can get the Debian or Ubuntu terminal from the Win10 store, has anyone tried verifying sha256 or sha512 hashes with it? It's a quite easy setup, IIRC you just download Debian or Ubuntu from the Store, launch it and you can use apt to get the software you need for future use. ADB can be used through it, someone should try a sha256sum command on it to see if it works.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
By "I can't get it to work", do you mean you can't get output "Verified OK" when verifying the file which contain SHA-512 sum?
I am using Windows 10. I am not sure if Kleopatra is the appropriate tool for this or if I am just not doing it correctly. Maybe Openssl or something simpler?
I am getting a "Decryption failed: No CMS object" when trying to verify the .pem file. The LL app, public key file, and SHA512sum.sig file are all in the same folder.

OpenSSL also available for Windows, so i would recommend that. I can't find information whether Kleopatra support .pem file, but if you can't choose .pem file during import public key, it's likely Kleopatra doesn't support it.
legendary
Activity: 2730
Merit: 7065
OpenSSL also available for Windows, so i would recommend that. I can't find information whether Kleopatra support .pem file, but if you can't choose .pem file during import public key, it's likely Kleopatra doesn't support it.
When you click on the import button in Keopatra, the software shows the certificate formats it accepts. Among others, it should be able to recognize .asc, .cer, .cert, .pem, and some others. But I am still getting an error trying to import the LL. pem file. Maybe the names of the files aren't correct or there is some other reason why it doesn't work.

I did get the Openssl software on my computer but I don't know how to work with it unfortunately.
legendary
Activity: 2730
Merit: 7065
By "I can't get it to work", do you mean you can't get output "Verified OK" when verifying the file which contain SHA-512 sum?
I am using Windows 10. I am not sure if Kleopatra is the appropriate tool for this or if I am just not doing it correctly. Maybe Openssl or something simpler?
I am getting a "Decryption failed: No CMS object" when trying to verify the .pem file. The LL app, public key file, and SHA512sum.sig file are all in the same folder.

You seem to love closed source software very much.
Love? No. Use? Yes.

Maybe software like OpenHashTab or HashCheck would be better open source alternative to use.
Sure, why not. A greater choice of tools is always good. Feel free to use one of those and post if you get different results.
legendary
Activity: 2212
Merit: 7064
Even better and safer option is not downloading and using ledger live app at all  Cheesy

A utility that displays file hashes, such as Hashtab.
You seem to love closed source software very much, so I have to trust them until they release Hashtab as open source (soon...like they say) that defeats the purpose of verifying anything and I think they don't have Linux version.
Maybe software like OpenHashTab or HashCheck would be better open source alternative to use.

Sadly, my "go to" which is the "CRC SHA" context menu that 7-Zip installs only supports SHA256 Undecided  Is great for Bitcoin Core as it is still using SHA256's for it's release hashes, but it seems Ledger have gone to the extreme with SHA512.
I think that Peazip free archiver also have this option for SHA512 built in, and it is great open source alternative for 7-zip.


legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I have been trying to do the second part of the verification ("Verify the sha512sum hashes") as mentioned on https://www.ledger.com/ledger-live/lld-signatures, but I can't get it to work. Does anyone know how to verify if the files are actually signed by Ledger? Feel free to post the step-by-step instructions please.

By "I can't get it to work", do you mean you can't get output "Verified OK" when verifying the file which contain SHA-512 sum? The guide for Linux is straight-forward.
legendary
Activity: 2730
Merit: 7065
I have been trying to do the second part of the verification ("Verify the sha512sum hashes") as mentioned on https://www.ledger.com/ledger-live/lld-signatures, but I can't get it to work. Does anyone know how to verify if the files are actually signed by Ledger? Feel free to post the step-by-step instructions please.
HCP
legendary
Activity: 2086
Merit: 4361
The point is that everybody just look around, you may already have a tool that makes you the hash.
Sadly, my "go to" which is the "CRC SHA" context menu that 7-Zip installs only supports SHA256 Undecided  Is great for Bitcoin Core as it is still using SHA256's for it's release hashes, but it seems Ledger have gone to the extreme with SHA512.


Quote
All in all, it's useful to know that LL also has checksum one can verify.
Very... I didn't even know that they had these listed! Shocked Undecided
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
There are multiple tools for getting the hash for a file. I use Double Commander as file manager for windows and this one also has in Files->Calculate checksum the option to create a file next to yours, containing the checksum you selected (and one of the options is sha-512)



The point is that everybody just look around, you may already have a tool that makes you the hash.
All in all, it's useful to know that LL also has checksum one can verify.
legendary
Activity: 2730
Merit: 7065
Some members on Bitcointalk use Ledger hardware wallets, and a few use the native Ledger Live app as well. I noticed that we don’t have a thread about verifying Ledger Live signatures or the installation files, so I thought I would write a quick guide on how to do it.

This tutorial is for Windows users.

What is needed for the verification?

•   A utility that displays file hashes, such as Hashtab.
•   The Ledger Live app for your OS.

Verifying the installation binary

1.   Download and install Hashtab on your computer. Here is a VirusTotal report for the newest version.
2.   Download the correct version of Ledger Live for your OS.
3.   After LL has been downloaded, find the file, right-click on it, and click on “Properties”.
4.   If you installed Hashtab, you should notice a new tab called “File Hashes” under properties. Click on it.

5.   On the File Hashes tab, right-click in the white box and click on “Settings”.
6.   A new window will open, showing all Hashtab settings. Unselect all of them, tick only the “SHA-512” box, and click “OK”.

7.   Visit the Ledger Live Download Signatures page. Scroll down a little bit until you find the “Verify my Ledger Live install binary” section.
8.   Copy the SHA-512 hash for Windows from the site.

9.   In the Ledger Live properties menu under “File Hashes”, paste the copied SHA-512 hash in the “Hash Comparison” bar. If they are identical, a green tick mark will appear on your screen.

10.  You have either copied the wrong hash or downloaded a fake version of Ledger Live if you get a red cross instead.


More information on how to verify the SHA-512sum hashes can be found here: https://www.ledger.com/ledger-live/lld-signatures
Additionally, check out these posts for more instructions on how to verify the SHA-512sum hashes: 1, 2.


Source: https://support.ledger.com/hc/en-us/articles/4404807946001-How-to-verify-the-authenticity-of-Ledger-Live-on-Windows-?support=true

Pages:
Jump to: