How To Verify the Downloaded Version of Ledger Live

[Pmalek]

Monthly bump

[1714238789]

1714238789

[1714238789]

1714238789

[jerry0]

Okay well actually I will come back to this thread.  Reason being I have to do a install of ledger live again.  But the process is still the same right?


I also read on reddit recently that apparently the code for it was not the same?  But I heard this was only with MAC devices?

[Pmalek]

Nothing has changed and the procedure is still the same last time I checked. My last LL update was less than a month ago.
I am not sure what you read on reddit. This guide is for Windows, and I tested it on my Windows PC. I don't have a MAC, so I wouldn't know. You use Windows as well, so don't worry about MACs. 

[jerry0]

I did the step HCP recommended a while back.  



When I typed this in windows powershell...


Get-FileHash ledger-live-desktop-2.36.3-win-x64.exe -Algorithm SHA512 | Format-Table -AutoSize -Wrap




It is suppose to show this after you click enter to confirm it matches.


70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf






It shows below which is the correct letters and numbers... except how come what I bolded below is all in CAPITAL LETTERS?  Can someone here confirm this?  Last time when I did this with an earlier version of ledger live, I was pretty sure it was all in lowercase.  But now its all in uppercase?  



SHA512 - 70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf




Also to the right of the bolded above... I see Path C:/users/jerry0/downloads/ledger-live-desktop-2.36.3-win-x64.exe.  I don't recall seeing this few months ago when I did this test with windows powershell to verify ledger live?  Just want to make sure before I install it.

[Pmalek]

except how come what I bolded below is all in CAPITAL LETTERS?  
SHA512 - 70e4748f68bb949cc048c9db1b2887a865625e25ed071355f24c36e9d0796d4d5aa56ac359fd763 6cd3a522fc206985c514e5be17125d1f0e30b3a7b92dbdabf

I never used Powershell for the verification. I did it precisely as explained in the OP and used OpenSSL. The SHA512 string you pasted is not in capital letters. But even if it is, I don't see a reason to worry if you are getting the correct data.

Also to the right of the bolded above... I see Path C:/users/jerry0/downloads/ledger-live-desktop-2.36.3-win-x64.exe.  I don't recall seeing this few months ago when I did this test with windows powershell to verify ledger live?

That's just the location where the downloaded files are that were used for the verification. It was probably there the last time you did it as well, you just don't remember it. Shouldn't be a reason to worry.

[DireWolfM14]

@jerry0 contacted me via PM to help with this, sorry it took me so long to get to it.  I haven't used my Ledger wallets in over a year.  Therefore, I haven't had LedgerLive installed on my system, but I went ahead and downloaded the latest version and set about to verify it.

I found Ledger's instructions on how to verify the checksums here: https://www.ledger.com/ledger-live/lld-signatures

I downloaded the .pem file, the .sig file, and the .sha512sum file (saved with a .txt extension.)  The first thing I noticed is that the checksums file is signed with an OpenSSL key, not GPG.  Being a Windows user myself, this created a roadblock right away.  I don't have much experience with OpenSSL, let alone OpenSSL in Windows, so I didn't know how to verify the signature.  I installed the OpenSSL module that's available through PowerShell package manager, but it doesn't appear to provide a command to validate signatures.  I found a third-party package manager that claims to have a module called "OpenSSL.Light" which again claims to work similar to OpenSSL commands on Linux.  I didn't install it, because I don't want a third-party anything installed on my system.  So, I gave up and used WSL to validate the signature.

In WSL I browsed to the directory where I had saved all the files, and ran this command:

Code:

openssl dgst -sha256 -verify ledgerlive.pem -signature ledger-live-desktop-2.36.3.sha512sum.sig ledger-live-desktop-2.36.3.sha512sum.txt

Kind of a shitty thing to do to Windows users, in my opinion.  Why not just use GPG like almost all of the other software vendors in the cryptocurrency space?  I've been displeased with Ledger for a variety of reasons, and this ain't helping win me back.  Not to mention the lack of security: The OpenSSL certificate, the signature file, and the checksums file are all hosted on the same server.  What could go wrong?

Once that was done the rest of it went fairly smoothly.  Now that I've confirmed the checksum file was signed with the OpenSSL certificate provided by Ledger I can check the SHA512 hash of the executable file.  I was able to do so in PowerShell like I normally do.

I prefer to use CertUtil to check hash sums:

Code:

certutil -hashfile ledger-live-desktop-2.36.3-win-x64.exe sha512

The instructions on Ledger's web page suggest to use the Get-FileHash command, like this:

Code:

Get-FileHash ledger-live-desktop-2.36.3-win-x64.exe -Algorithm SHA512

But that's not great.  As you can see below, when using that command it truncates the results, only showing a portion of the hash.  As HCP suggested earlier in this thread you can add "| Format-Table -Wrap" to the end of the command, and the complete results will be displayed.  Here's the full command:

Code:

Get-FileHash ledger-live-desktop-2.36.3-win-x64.exe -Algorithm SHA512 | Format-Table -Wrap

@jerry0 was concerned because the result he got were all in capitol letters.  As you can see above, the hash sum is the same regardless of which utility you use, but Get-FileHash displays the results with all capitol letters, while CertUtil provides the results with all lower-case letters.  It doesn't appear that the hash sum is case-sensitive.

[Pmalek]

<Snip>

Nice of you to chip in. So Jerry PMed you as well. I guess there are very few people who weren't contacted by him with the same questions.
If you PMed him with the same exact instructions, he is now going to ask you about each step and ask if that is the best way to do it and if everyone else does it that way as well. I can't figure out why he needs instructions in a thread that has provided those instructions by myself and other users who have chipped in and explained various ways to do it.

[DireWolfM14]

<Snip>

Nice of you to chip in. So Jerry PMed you as well. I guess there are very few people who weren't contacted by him with the same questions.
If you PMed him with the same exact instructions, he is now going to ask you about each step and ask if that is the best way to do it and if everyone else does it that way as well. I can't figure out why he needs instructions in a thread that has provided those instructions by myself and other users who have chipped in and explained various ways to do it.

Yeah, I hope he'll be satisfied with the answer...  And I hope he remembers it months from now when Ledger issues another update.  

That OpenSSL signature has been bugging me for a while now, it was like an itch I needed to scratch.  I'm still not satisfied that I couldn't use PowerShell to verify it, but I've got more pressing matters today: There's a prime rib that needs to be BBQ'd.

Happy New Year, all.

[Pmalek]

Another thing that I realized with the Ledger Live download signatures page is that they removed the links to download the Windows version of Ledger Live. When I initially created this thread, it was still available. While going through the older versions from the dropdown menu, the last release whose Windows link was posted was v2.34.4. Starting from 2.35.0 and onwards, there are only download links for MAC and Linux.

Doesn't really make sense to me. Having them all there would make it easier to download all the needed files for the verification.

[jerry0]

Yea what he posted is how HCP suggested to check ledger live. 

[Pmalek]

It is again possible to verify the installation binaries of Ledger Live by following the instructions in OP and using the data available on https://www.ledger.com/ledger-live/lld-signatures just like in the past. Since Ledger migrated to a new GitHub repository, they didn't update the site with the sha512 hashes and signatures for the new releases, but now it's available again.

Since the old GitHub site with release notes isn't maintained anymore, you can now see what's new in the new versions by going to https://support.ledger.com/hc/en-us/articles/360020773319-What-s-new-in-Ledger-Live-?docs=true.

[Cricktor]

<snip>

So it took them approx. from end of May until end of July to fix the important checksums page https://www.ledger.com/ledger-live/lld-signatures on their own website? (I wouldn't consider https://ledger-live.vercel.app/lld-signatures as a valid source for the current checksums as posted by this moderator btchip on reddit who's flagged as Ledger co-founder; ridiculous security policy).
Until yesterday or day before yesterday https://www.ledger.com/ledger-live/lld-signatures was stuck at v2.42 as last available checksums.

The Ledger folks have some strange priorities.

[Pmalek]

(I wouldn't consider https://ledger-live.vercel.app/lld-signatures as a valid source for the current checksums as posted by this moderator btchip on reddit who's flagged as Ledger co-founder; ridiculous security policy).

That's the first time I am seeing that source. I am also not a fan of browsing reddit and I wasn't aware that it was being recommended there. Maybe btchip promoting it as a temporary solution while they complete their migration. It's interesting that the site you posted isn't mentioned in Ledger's official support documentation that explains how to verify the authenticity of Ledger Live even though the last update was on 29 June 2022.

The article mentions downloading and verifying version 2.42 of LL and then using the in-app update feature to upgrade to the newest version. https://ledger-live.vercel.app/lld-signatures isn't mentioned.   

[Cricktor]

I don't know what Ledger folks are doing. I expect a checksum or link to a checksums page in the proximity of a download link and cherry on top is when there's a link to a thorough explanation on how to verify the checksum and integrity of the download properly.

[Pmalek]

I don't know what Ledger folks are doing. I expect a checksum or link to a checksums page in the proximity of a download link and cherry on top is when there's a link to a thorough explanation on how to verify the checksum and integrity of the download properly.

The lack of information and instructions was like that from the beginning. I doubt they will do much to improve it. But just follow the recommendations in this thread and you will get there. It's a bad security practice to store all the files at the same place, but taking shortcuts seems to be a normal part of Ledger's business model.