Topic: How To Verify the Downloaded Version of Ledger Live (Read 604 times)

The lack of information and instructions was like that from the beginning. I doubt they will do much to improve it. But just follow the recommendations in this thread and you will get there. It's a bad security practice to store all the files at the same place, but taking shortcuts seems to be a normal part of Ledger's business model.

I don't know what Ledger folks are doing. I expect a checksum or link to a checksums page in the proximity of a download link and cherry on top is when there's a link to a thorough explanation on how to verify the checksum and integrity of the download properly.

That's the first time I am seeing that source. I am also not a fan of browsing reddit and I wasn't aware that it was being recommended there. Maybe btchip promoting it as a temporary solution while they complete their migration. It's interesting that the site you posted isn't mentioned in Ledger's official support documentation that explains how to verify the authenticity of Ledger Live even though the last update was on 29 June 2022.

The article mentions downloading and verifying version 2.42 of LL and then using the in-app update feature to upgrade to the newest version. https://ledger-live.vercel.app/lld-signatures isn't mentioned.   

So it took them approx. from end of May until end of July to fix the important checksums page https://www.ledger.com/ledger-live/lld-signatures on their own website? (I wouldn't consider https://ledger-live.vercel.app/lld-signatures as a valid source for the current checksums as posted by this moderator btchip on reddit who's flagged as Ledger co-founder; ridiculous security policy).
Until yesterday or day before yesterday https://www.ledger.com/ledger-live/lld-signatures was stuck at v2.42 as last available checksums.

The Ledger folks have some strange priorities.

It is again possible to verify the installation binaries of Ledger Live by following the instructions in OP and using the data available on https://www.ledger.com/ledger-live/lld-signatures just like in the past. Since Ledger migrated to a new GitHub repository, they didn't update the site with the sha512 hashes and signatures for the new releases, but now it's available again.

Since the old GitHub site with release notes isn't maintained anymore, you can now see what's new in the new versions by going to https://support.ledger.com/hc/en-us/articles/360020773319-What-s-new-in-Ledger-Live-?docs=true.

Yea what he posted is how HCP suggested to check ledger live. 

Another thing that I realized with the Ledger Live download signatures page is that they removed the links to download the Windows version of Ledger Live. When I initially created this thread, it was still available. While going through the older versions from the dropdown menu, the last release whose Windows link was posted was v2.34.4. Starting from 2.35.0 and onwards, there are only download links for MAC and Linux.

Doesn't really make sense to me. Having them all there would make it easier to download all the needed files for the verification.

Yeah, I hope he'll be satisfied with the answer...  And I hope he remembers it months from now when Ledger issues another update.  

That OpenSSL signature has been bugging me for a while now, it was like an itch I needed to scratch.  I'm still not satisfied that I couldn't use PowerShell to verify it, but I've got more pressing matters today: There's a prime rib that needs to be BBQ'd.

Happy New Year, all.

Nice of you to chip in. So Jerry PMed you as well. I guess there are very few people who weren't contacted by him with the same questions.
If you PMed him with the same exact instructions, he is now going to ask you about each step and ask if that is the best way to do it and if everyone else does it that way as well. I can't figure out why he needs instructions in a thread that has provided those instructions by myself and other users who have chipped in and explained various ways to do it.

@jerry0 contacted me via PM to help with this, sorry it took me so long to get to it.  I haven't used my Ledger wallets in over a year.  Therefore, I haven't had LedgerLive installed on my system, but I went ahead and downloaded the latest version and set about to verify it.

I found Ledger's instructions on how to verify the checksums here: https://www.ledger.com/ledger-live/lld-signatures

I downloaded the .pem file, the .sig file, and the .sha512sum file (saved with a .txt extension.)  The first thing I noticed is that the checksums file is signed with an OpenSSL key, not GPG.  Being a Windows user myself, this created a roadblock right away.  I don't have much experience with OpenSSL, let alone OpenSSL in Windows, so I didn't know how to verify the signature.  I installed the OpenSSL module that's available through PowerShell package manager, but it doesn't appear to provide a command to validate signatures.  I found a third-party package manager that claims to have a module called "OpenSSL.Light" which again claims to work similar to OpenSSL commands on Linux.  I didn't install it, because I don't want a third-party anything installed on my system.  So, I gave up and used WSL to validate the signature.

In WSL I browsed to the directory where I had saved all the files, and ran this command:




Kind of a shitty thing to do to Windows users, in my opinion.  Why not just use GPG like almost all of the other software vendors in the cryptocurrency space?  I've been displeased with Ledger for a variety of reasons, and this ain't helping win me back.  Not to mention the lack of security: The OpenSSL certificate, the signature file, and the checksums file are all hosted on the same server.  What could go wrong?

---

Once that was done the rest of it went fairly smoothly.  Now that I've confirmed the checksum file was signed with the OpenSSL certificate provided by Ledger I can check the SHA512 hash of the executable file.  I was able to do so in PowerShell like I normally do.

I prefer to use CertUtil to check hash sums:




The instructions on Ledger's web page suggest to use the Get-FileHash command, like this:


But that's not great.  As you can see below, when using that command it truncates the results, only showing a portion of the hash.  As HCP suggested earlier in this thread you can add "| Format-Table -Wrap" to the end of the command, and the complete results will be displayed.  Here's the full command:

---

@jerry0 was concerned because the result he got were all in capitol letters.  As you can see above, the hash sum is the same regardless of which utility you use, but Get-FileHash displays the results with all capitol letters, while CertUtil provides the results with all lower-case letters.  It doesn't appear that the hash sum is case-sensitive.

I never used Powershell for the verification. I did it precisely as explained in the OP and used OpenSSL. The SHA512 string you pasted is not in capital letters. But even if it is, I don't see a reason to worry if you are getting the correct data.

That's just the location where the downloaded files are that were used for the verification. It was probably there the last time you did it as well, you just don't remember it. Shouldn't be a reason to worry.

I did the step HCP recommended a while back.  



When I typed this in windows powershell...


Get-FileHash ledger-live-desktop-2.36.3-win-x64.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap




It is suppose to show this after you click enter to confirm it matches.


70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf






It shows below which is the correct letters and numbers... except how come what I bolded below is all in CAPITAL LETTERS?  Can someone here confirm this?  Last time when I did this with an earlier version of ledger live, I was pretty sure it was all in lowercase.  But now its all in uppercase?  



SHA512 - 70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf




Also to the right of the bolded above... I see Path C:/users/jerry0/downloads/ledger-live-desktop-2.36.3-win-x64.exe.  I don't recall seeing this few months ago when I did this test with windows powershell to verify ledger live?  Just want to make sure before I install it.

Nothing has changed and the procedure is still the same last time I checked. My last LL update was less than a month ago.
I am not sure what you read on reddit. This guide is for Windows, and I tested it on my Windows PC. I don't have a MAC, so I wouldn't know. You use Windows as well, so don't worry about MACs. 

Okay well actually I will come back to this thread.  Reason being I have to do a install of ledger live again.  But the process is still the same right?


I also read on reddit recently that apparently the code for it was not the same?  But I heard this was only with MAC devices?

Monthly bump

Thanks.


HCP helped me with this and it confirms its legit download.

Don't worry about the security notification. It happens sometimes when you download something from the internet in Windows. If the file is blocked, you can unblock it yourself. Right click on the file, go to Properties > General, and at the bottom of the screen where you see the security notification there should be an option that says Unblock. Click on it to unblock it if needed and press OK.

No, don't do it like that. If you open PowerShell like that, you will have to manually navigate to the destination folder. HCP explained what you should do. After you have downloaded every single item from https://www.ledger.com/ledger-live/lld-signatures and saved them in the same folder, open that folder on your PC. Hold down the shift button on your keyboard while your press the right button on your mouse and click on "Open PowerShell window here". After that, follow the instructions you found.

I just downloaded ledger live from ledger site.


One thing i noticed was when i looked at it file without opening it... i right click it and properties.  I notice in the general tab which it opens up...


The bottom shows


Security  This file came from another computer and might be blocked to help protect this computer.



Did any of you also have this message in the ledger live 2.33.1 download?  I took a look at the old ledger live desktop i downloaded which was 2.26.1 and when I right click it and properties, I don't notice that message.




I am going to do HCP method of verifying the signature and could appreciate if someone could clear everything up.



Do I just click on the start menu and type in powershell and then click on windows powershell or right click and run as admin on windows power shell?



Then once I do that


I see a blue screen that shows


Windows Powershell
Copyright (C) Microsoft Corporation.  All rights reserved.

Try the new cross-platform powershell  https://aka.ms/pscore6


PS C:Users/jerry0>


Then press spacebar once... and then type this and enter?


Get-FileHash ledger-live-desktop-2.33.1-win.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap





I just want to make sure of this before I continue as that security message file came from another computer... i never seen before.  Can you guys confirm this is the correct way to do it without downloading the hashbit etc?


Thing that has me confused is HCP says


You just need to make sure you're in the folder where the .exe is located... if you use Explorer... goto the folder where you downloaded the .exe and then hold down the SHIFT key and right click in an empty space (not on a file or folder) in the window... you should see an option that says "Open PowerShell window here":

So check the authenticity with PowerShell, that's ok. That's why I told you to read the thread, all the instructions are in the OP and the replies underneath it. If there is a post saying you can do it with PowerShell and explains how to, just follow the instructions and don't ask if that is the way the rest of the world does it.

Well there you go, what more do you want? 

You are not an average user. I think everyone will agree with me that there isn't a single member on this forum like you. It shouldn't matter what other people do. Do it if you want to or don't. It's like with Electrum signatures. You verify them to be certain that the software was created and signed by the development teams it's claimed it originates from. If you don't care, don't do it. It's that simple.

What do you want me to do about it? What do you want the Bitcointalk community to do about that?
Again, my condolences. I will keep you in my prayers and ask God to simplify the authentification process for you.

Well HCP tells me i could do the check with powershell in windows ten and i do not have to download hashtag... which is something i like to hear.


Well he and someone else told me he never heard of one instance of someone downloading ledger live from ledger official site and it being malware as long as its ledgers site.  I mean... does the average user who uses a hardware wallet even does the signature thing?


Checking the signature as explained in ledger live ... the way they wrote it... isn't that simple.  It isn't like... okay download the program.  Before you open it... right click it and check properties and make sure it shows exactly this... like what is shown in the picture here...

You don't need to download anything from Ledger's site just for the sake of updating, but you need to download the installation file whose authenticity you are verifying. 

The thread and the replies by other members show how to do it right. Don't ask questions for every step of the process. Everything is explained.

I just checked with all people on earth who use Ledger Live. The answer is negative.

You do it exactly the way it was explained in the OP. That's why it was written in the first place. It wasn't written so that Jerry can ask whether or not it's the right way to do it.

My condolences.

By reading what is written on the site from top to bottom. You can do that, right? Click on all of the links and download them to the same folder.

How have you made sure the other programs on your Windows computer are malware-free? Have you? Have you made sure the Ledger Live app you are using is malware-free? Use Hashbit if you want or try the open-source apps that dkbit98 recommended in one of his replies. Again, read the thread.   

https://www.ledger.com/ledger-live/download


I am downloading ledger live from the site.


Now when i look at verifying the files... we also need to download another program?   I see its called hashbit.  How do you make sure a program like hashbit is malware free etc?


Is there a way to check the signature of ledger live without downloading another program?  Obviously you first download ledger live from the website... but can you verify it without downloading hashbit?  Im using windows ten pro if it matters.

Has there been even one case of someone downloading ledger live from the correct ledger site and then downloading malware?


Again I want to verify the ledger live but all this hash sum and these things... are not that simple.  So you need to download a hash on a different site before you download ledger live?


I can't imagine for the average user that doing something like this is simple




Ledger site posts this to verify

https://www.ledger.com/ledger-live/lld-signatures




If you just look at that... how do you even know where to look for the hash etc.

Okay im going to finally update ledger live.


Again Im still using the old ledger live and that is 2.26.1


Right now it shows Ledger Live 2.33.1.


So anyone here had success upgrading ledger live as is when going from a much older version?


So we have to download it directly from ledger site then no matter what?


Im going to do it later so want to make sure as I will be downloading it from ledger site.  But again even though its posted how to check the legit files, i want to make sure I do it right.

Ledger has released version 2.33.1 of their Ledger Live software about a week ago.
This would be a good opportunity to verify the installation binaries and the SHA-512sum hashes if you have never done that before to learn something new maybe.

As far as I know, if your Ledger Live is below v2.29.0, the application recommends you to download their latest version from their official website due to major changes^[1]. So I think you should be downloading it on their official site and make sure that you have verified the signature.

[1] Ledger Live 2.29.0 - Windows Users

Yes. The balance you are seeing depends on the accounts added on your Ledger app.

Well... can anyone here confirm if it can still be downloaded on the ledger live app or not?


It has the


Update to Ledger Live Version 2.32.2 is available



When I click download update, it does show downloading update... but it takes a very long time and nothing seem to do anything?  I had tried to download it... then I notice because i was idle on my computer, well ledger live would automatically sign you off etc.  So i go and sign back on... then download update, make sure i move my mouse frequently to make sure ledger live doesn't sign off... still downloading.



Previously any ledger live update I clicked on when using ledger live... it was pretty quick. 



I checked reddit and apparently other people seem to have the same issue.  So does one need to download it straight from ledger website or not?  Or does anyone have an estimated time of how long it takes to download this update?  As you know when you download the update straight from ledger live... it doesn't show you like how much percentage of it has been downloaded etc... so you just wait.



Also even if you are using an older version of ledger live... as long as it show synchronized.... that means your balance is correct right on ledger live?

I understood the bolded part as a suggestion to users to still verify one instance of Ledger Live before they install it. After that, Ledger will carry out the other checks for all future updates. But you know the saying: Don't verify, update!" It shouldn't matter what Ledger says.

Yes, it's normal (he said hoping you would stop asking unnecessary questions). Just make sure you have a priest present in the room to provide your software with the needed blessings. He should also be able to speed up the download time.   

Oh good. It's been almost a day and I was worried that you wouldn't tell us that you haven't done any Ledger Live updates in months. Thanks for that. See you tomorrow where I expect you to tell us how long and why you haven't done any Ledger Live updates.

Okay so I clicked on update now on ledger live.


Its showing


Downloading update...



But its taking a very long time.  Is this normal?  Again I haven't did any ledger live update through ledger live in months since last time it was mentioned you had to do it through the website so I didn't do it for months.


Previously whenever I click on update in top right corner of ledger live, it was very fast and then I clicked on download now etc.

As I mentioned earlier, Ledger Live claim that it is automatically verifying the download for you when you use the update button...


So, theoretically, there is no need to verify anything if you use the "in app" update button... you only need to manually verify the installers that are downloaded manually.

I really have to ask... Are you receiving regular and repeated blows to your head or something? Click the update button to update your version of Ledger live, what's wrong with you?

How would that verify anything? The update button does what its name suggests. It updates the software to the newest release. You have to do the verification yourself as explained in the OP. 

Hey.  Well back then, I always clicked on the update on the top right corner in ledger live whenever i saw an update available.  I always did this until few month ago when there was a ledger live update and people said you had to download it directly from the ledger website... so because of that... I didn't want to do it.


So to confirm... just updating right now on the top right corner on ledger live would never be an issue right?  Again, that is how i always used to update ledger live whenever i open ledger live and there is update available, i always update.  But because of what happened last time, i just decided to wait. 



You can't verify the download when clicking on top right corner of update on ledger live right?

You are asking the same questions and coming to the same conclusions like you did yesterday. If the update Ledger Live button is available on your computer and current version of LL, just click on it and update to the newest version. I wasn't joking when I said it yesterday. If you feel like verifying the authenticity of the downloaded software, just follow the step-by-step instructions in my OP. It's simple.

It's really easy to verify the download... Ledger have all the information here: https://www.ledger.com/ledger-live/lld-signatures

The first page of this thread gives plenty of details on how to go about doing it.


And then Ledger say things like this:

Seems they've set up Ledger Live to automatically authenticate any updates that it downloads... so, theoretically, once you've verified the installer once, you shouldn't need to do it again if you're using the in-app update mechanism... Would be interesting to see how robust this actually is.

An attacker who can compromise the Ledger website and make it link to a malicious download could equally compromise whichever server Ledger Live connects to when you hit the "Update" button and make that point towards a piece of malicious software too.

With any piece of software, just downloading it from the "correct" source (while good practice) is never enough to ensure your safety. You should always verify it against the developer's keys or hashes.

Well I remember few months ago, there was a ledger live update and it was mentioned you could not download the update like normal by clicking on update now on ledger live program and had to go directly to ledger.com site in order to do the update.  Isn't that true?


Because of that, I didn't do any ledger live update since then.  Previously before this, i always click update on the top right corner in ledger live. 



So its confirmed... you can do this now?  But a while back, you couldn't... correct?



Reason I didn't download directly from ledger site is because people mention you need to make sure to verify the signature of the download and I didn't know how to do that... so I didn't download download any update since then.



Thanks.

Why would that present a problem to you? You could have gotten the updates from the official site like everyone else.  

If the option to update through the app is available again and you can click on the button, just do it. There is no need to download it manually from the official site then.


 You mean Ledger Nano S. Ledger Live is a piece of software, your hardware wallet is called Nano S.

Yes that's fine.

The app checks the blockchain for any new transactions that could have been made, that's why it's synching. It will do that from older versions of the app as well unless the team decides otherwise.

@jerry0
This thread is about how to verify the authenticity of Ledger Live. I would appreciate if you keep the discussions on topic. If you have other questions, make a new thread or post in one of your old ones.

Also even though I never downloaded the newest version of ledger live... everytime i sign in ledger live, it does show synchronized in the top right corner.  So if you never updated never live but it does shown synchronize... your balance should always be correct right? 

Im still using the older version of ledger live as i haven't updated it in a few months because i remember people said you couldn't just click download update on the top right corner when you open ledger live and needed to go directly to ledger site to download the new ledger live update.  Is this still true or not?   Before this, I always slick download update and then it updated to newest version of ledger ilve.


When i open ledger live, i see message of



Update to Ledger Live version 2.32.2   



Can you just click on download update like I did back then... or do i need to go directly to ledger site to do it?



Also I haven't connected my ledger live to my laptop in few months.  Is it fine to connect it to the laptop while still using the older version of ledger live?  Or should one always have the updated version of ledger live first before connecting the nano ledger s to it?  Back then, i always downloaded any updates on ledger live since it was as simple as click download update on top right corner of ledger live.

There is also a Get-FileHash applet in Windows PowerShell... it's actually the one mentioned on the Ledger site showing how to verify it... they just didn't make it obvious it was for PowerShell! :

That will also generate the SHA512 hash... unfortunately, it doesn't format the output very well and tends to truncate the hash output!



But, as luck would have it... a minor addition to the command will work wonders:



or

Windows has a built-in certificate utility that can be used to calculate SHA512 sums.  Here's an example of how to use it to find the checksum of the hashfile.  You can use the same tool to calculate SHA256 and MD5 sums also.  Just change the sha512 at the end of the command to sha256 or md5 to obtain those sums.

There is a 3MB "Light" installer available on the slproweb.com download page. As per the notes, it's the recommended one for "users":
Yes, I would concur... the 63MB one probably includes full source, libs and other tools that are useful/needed by software developers, but are not strictly necessary to just "use" OpenSSL.

Thanks for the list. The OpenSSL wiki has the site I used and recommended placed on top, so everything is good. I did notice a significant difference in size. The Windows installer I downloaded from the wiki source is 63MB, while the curl 7.78.0 for Windows is only 5MB. I guess the first source contains many more libraries and/or tools while curl.se only comes with the basic package.   

Kleopatra does support .pem files. I believe the issue is that the public key that Ledger Live are using, is an OpenSSL public key... and not a PGP/GPG public key.

As Kleopatra is GPG based, it fails. Kinda like trying to use an ETH address in a BTC client


The OpenSSL Wiki actually has a list with a number of sites for getting Windows Binaries: https://wiki.openssl.org/index.php/Binaries

I just used the curl.se one because it was one I had stumbled across previously and knew that it worked

Same here. Although Kleopatra is supposed to support .pem files, there seems to be a compatibility issue and it can't be imported as you realized as well.

There are Windows installers for OpenSSL here. This site was suggested on a few forums as a source to get hold of OpenSSL without having to compile it yourself.

---

The Ledger files can be anywhere, as long as they are in the same folder. You just need to configure OpenSSL to the correct directory and it will work.

I never tried OpenSSL for Windows, but AFAIK all you need to do are putting all file on same folder and run this command. If your cmd can't find openssl, you need to add folder which contain openssl to PATH variable (see https://helpdeskgeek.com/windows-10/add-windows-path-environment-variable/).

As far as I can tell... the .pem file from Ledger (which is their public key), is not importable into Kleopatra.

I just get a "BER Error" when attempting to import this public key:



As far as I can tell, it's just not compatible with GPG... seems they're using openssl, and not GPG.


So, for windows, I downloaded the "precompiled openssl binaries"^[1] from here: https://curl.se/windows/
Then I extracted the contents of that archive to C:\OpenSSL (to make life easier)... and then put the .pem, the .sha512sum and the .sig file in there as well.

Then used the openssl commandline as per the Ledger website:



As you can see, I got the "Verified OK" message.

---

As mentioned, WSL (Windows Subsystem for Linux) is available on Windows 10 and gives you the ability to install several linux distros and open up a linux terminal. (sidenote: WSL2 on Windows 11 even has support for running Linux GUI apps! )

So, that's also an option.


[1] I don't currently have access to my dev machine, otherwise I would have downloaded and compiled the source myself.

I finally got the "Verified OK" notification for the SHA512 hash with OpenSSL. I haven't worked with this software in the past, so I had problems navigating to the correct path destination.

For those who want to try, the correct command is: cd followed by the path location. For example, if the folder with the downloaded Ledger files is on your Desktop, you would enter something like this:

I think there's one more way to do it. I know you can get the Debian or Ubuntu terminal from the Win10 store, has anyone tried verifying sha256 or sha512 hashes with it? It's a quite easy setup, IIRC you just download Debian or Ubuntu from the Store, launch it and you can use apt to get the software you need for future use. ADB can be used through it, someone should try a sha256sum command on it to see if it works.

OpenSSL also available for Windows, so i would recommend that. I can't find information whether Kleopatra support .pem file, but if you can't choose .pem file during import public key, it's likely Kleopatra doesn't support it.

When you click on the import button in Keopatra, the software shows the certificate formats it accepts. Among others, it should be able to recognize .asc, .cer, .cert, .pem, and some others. But I am still getting an error trying to import the LL. pem file. Maybe the names of the files aren't correct or there is some other reason why it doesn't work.

I did get the Openssl software on my computer but I don't know how to work with it unfortunately.

I am using Windows 10. I am not sure if Kleopatra is the appropriate tool for this or if I am just not doing it correctly. Maybe Openssl or something simpler?
I am getting a "Decryption failed: No CMS object" when trying to verify the .pem file. The LL app, public key file, and SHA512sum.sig file are all in the same folder.

Love? No. Use? Yes.

Sure, why not. A greater choice of tools is always good. Feel free to use one of those and post if you get different results.

Even better and safer option is not downloading and using ledger live app at all  

You seem to love closed source software very much, so I have to trust them until they release Hashtab as open source (soon...like they say) that defeats the purpose of verifying anything and I think they don't have Linux version.
Maybe software like OpenHashTab or HashCheck would be better open source alternative to use.

I think that Peazip free archiver also have this option for SHA512 built in, and it is great open source alternative for 7-zip.

By "I can't get it to work", do you mean you can't get output "Verified OK" when verifying the file which contain SHA-512 sum? The guide for Linux is straight-forward.

I have been trying to do the second part of the verification ("Verify the sha512sum hashes") as mentioned on https://www.ledger.com/ledger-live/lld-signatures, but I can't get it to work. Does anyone know how to verify if the files are actually signed by Ledger? Feel free to post the step-by-step instructions please.

Sadly, my "go to" which is the "CRC SHA" context menu that 7-Zip installs only supports SHA256   Is great for Bitcoin Core as it is still using SHA256's for it's release hashes, but it seems Ledger have gone to the extreme with SHA512.


Very... I didn't even know that they had these listed!

There are multiple tools for getting the hash for a file. I use Double Commander as file manager for windows and this one also has in Files->Calculate checksum the option to create a file next to yours, containing the checksum you selected (and one of the options is sha-512)



The point is that everybody just look around, you may already have a tool that makes you the hash.
All in all, it's useful to know that LL also has checksum one can verify.

Some members on Bitcointalk use Ledger hardware wallets, and a few use the native Ledger Live app as well. I noticed that we don’t have a thread about verifying Ledger Live signatures or the installation files, so I thought I would write a quick guide on how to do it.

This tutorial is for Windows users.

What is needed for the verification?

•   A utility that displays file hashes, such as Hashtab.
•   The Ledger Live app for your OS.

Verifying the installation binary

1.   Download and install Hashtab on your computer. Here is a VirusTotal report for the newest version.
2.   Download the correct version of Ledger Live for your OS.
3.   After LL has been downloaded, find the file, right-click on it, and click on “Properties”.
4.   If you installed Hashtab, you should notice a new tab called “File Hashes” under properties. Click on it.

5.   On the File Hashes tab, right-click in the white box and click on “Settings”.
6.   A new window will open, showing all Hashtab settings. Unselect all of them, tick only the “SHA-512” box, and click “OK”.

7.   Visit the Ledger Live Download Signatures page. Scroll down a little bit until you find the “Verify my Ledger Live install binary” section.
8.   Copy the SHA-512 hash for Windows from the site.

9.   In the Ledger Live properties menu under “File Hashes”, paste the copied SHA-512 hash in the “Hash Comparison” bar. If they are identical, a green tick mark will appear on your screen.

10.  You have either copied the wrong hash or downloaded a fake version of Ledger Live if you get a red cross instead.


More information on how to verify the SHA-512sum hashes can be found here: https://www.ledger.com/ledger-live/lld-signatures
Additionally, check out these posts for more instructions on how to verify the SHA-512sum hashes: 1, 2.


Source: https://support.ledger.com/hc/en-us/articles/4404807946001-How-to-verify-the-authenticity-of-Ledger-Live-on-Windows-?support=true