How-to: Ledger Live Download with Digital Signature Verification

From Kicksecure
Jump to navigation Jump to search

Download and Digital Signature Verification of the Ledger Live cryptocurrency software.

Introduction[edit]

This wiki page must not be considered by itself. Read the Ledger Hardware Wallet wiki page first.

Testers only!

Download and Digital Software Verification[edit]

Introduction[edit]

  • Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
  • Optional, not required: Digital signatures are optional and not mandatory for using Kicksecure, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
  • Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

At time of writing, ledger did not provide OpenPGP (gpg) digital software signaturesarchive.org. Performing digital software signature verification for the ledger live software requires openssl which is an even more cumbersome process than using gpg. Digital software signature verification is however highly recommended.

As always, do your own research on what is a legitimate domain name versus a scam domain name! Related: https://t.me/s/Whonix/10archive.org

[1]

Store all downloaded files in the same folder for simplicity. [2] User home folder would be most simple. [3]

Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This warning is strongly related to Verifying Software Signatures page.

These Ledger Live digital signature verification instructions are alternative. Can be seen as inspiration. A compilation of various information available on the internet. The user is free to question and ignore anything written here. In case of issues, refer to the information from the official Ledger homepage. Support requests should be directed at Ledger, not Kicksecure. See also Self Support First Policy.

If the wiki page digital software signature verification was read and understood, it should be clear by now, that anything written here conceptually cannot be trusted and should be independently verified by the user.

Ledger Developer OpenPGP Public Key[edit]

Key was found here:

Key fingerprint was found here:

Open a new file ~/ledger-developer-public-key.asc in a text editor.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFRcc7kBCADPzzR0VK6tPTUmPSz0L2t56idtdGglW67GIcdl4pH2qI8p4ZQO
qWv3r2ICjTBRsgU895UjvldfR9NM9pUHm7+LWrrCOwlwshoI6D8uY07jJ0ghzN+o
UyR7kZXI/Fy0AzcpXYllcSZstNWv4vQvFbEK6ygIa5RnoxS6tBCh/bzgXjEb3W+N
AsI1HbBJWTGRDOG0hCs5RIzi3Cdu84noYvR+jb1elmIWWPj7sNkjA9il5zNghoWN
1IKFWu7wpXdyMZU2z55D/IZhSiLVUu8a/ck+WApC4mYEKxmGXsxqUAhjq7O1WTkp
bNUk+rsXmkrSXIEYTD3bG+I/whJjr0vE/vefABEBAAG0Kk5pY29sYXMgQmFjY2Eg
KExlZGdlcikgPG5pY29sYXNAbGVkZ2VyLmZyPokBOAQTAQIAIgUCVFxzuQIbAwYL
CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQaD15ON9VFc4IQQf/XROBFfPzH5R4
uXGFXJx7NNf3woGXLTKWJizjvaYXEfIA45X6ku/PJ2EKtVrLkmAiF3lMumEgOmLP
+t4CAJq6xUHGXXSq/S9Jgt6G5jo942pocYKHy0m/GK5l90j0gLlFTp3fPNP0DhMy
P98gWBeBlY2Eu2I517COKDgVMk5HEBV0r1QicHo0OPpvbfLuv2hurKOSI9iGNS0G
wu9/inks7BiaEZoFr54R1Yhdku4MPxnvc4sQ5gcM/EJ3UKrGLJOwea4Tqtc74zVd
gBonleHhrJ9X68fQya2YeNuAhdV3Ei5AYZHETNqa7gcF4pWcogongHkKOrWB0o7w
/igsNEYOWLkBDQRUXHO5AQgA20UcIKTjG2IfqZpuNw74j3WbBjnqDB1J3rzwOJ5Z
QgWvWf18ybxYHM0GlZVRaXuf+H8FV0unMeNoyUt+N66SXdr4S5wdeJZO3D5QQ+xy
GlD+c969lOTZQTMBpoM6ETmA7OC5Hf2wowKcPvbvcrkG3r9PRjgcvdYfzTb1JoZ0
juEnzgSLQEAU3lxRbw6+HNCQdXyXToHHOTMqAzEBq8Q859y+tzHhYP2KoKSSmCfK
QF8wnLRfJaYRfWGL/DUSLMfGa0JImg1PXaNAvwNqJB1hjB8d8zyuZpOlMhnA1ab/
C7KrnayXtFZvyKVNKT0luW/7TPw3+CqpSdHXhcC1sUd+EQARAQABiQEfBBgBAgAJ
BQJUXHO5AhsMAAoJEGg9eTjfVRXO2Z8H/AxSIQMokp+S0BfHNESx5UuM9WnacDgJ
VMg1mwg32g9aw0jyUfslLgwd31/Z1NxxL1D8af5gNV5iWPoyRXP4pJZVuDHvmJE2
ULkKZgABiIazpDD3zL7aKBZ6/URY6XWrXs3b47ea2cvNctJdqjsiAPXEHGKMMoaQ
CfMhI0+7OKjjt6rFCEW8ZwhN2Xntjj7GqZhii23tgAPrrFzsVignrCogc3IGjowi
dd38UQcg/GxtF69gD56uB15opOr/1JddNga2xYAMzIUbJ81H7VVASg8N1lqdOGCM
zUy4DRfdLm3aWve2n4/cJQ857cpqWowvU7KKk5CE9gOuQddGRhqmnoc=
=UP/G
-----END PGP PUBLIC KEY BLOCK-----

gpg --import ~/ledger-developer-public-key.asc

Following message was shown to the author of this wiki page:

gpg: key 0x683D7938DF5515CE: public key "Nicolas Bacca (Ledger) <nicolas@ledger.fr>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg --fingerprint BAE88B19F6E323236DEB1AC7683D7938DF5515CE

Following message was shown to the author of this wiki page:

pub   rsa2048/0x683D7938DF5515CE 2014-11-07 [SC]
      Key fingerprint = BAE8 8B19 F6E3 2323 6DEB  1AC7 683D 7938 DF55 15CE
uid                   [ unknown] Nicolas Bacca (Ledger) <nicolas@ledger.fr>
sub   rsa2048/0xF8EBDECDBA9631CA 2014-11-07 [E]

Ledger OpenSSL Public Key Verification Message[edit]

Open a new file ~/ledger-key-verification-message.asc in a text editor.

Paste.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI
CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA==
- -----END PUBLIC KEY-----

is the correct public key used for Ledger Live releases

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEuuiLGfbjIyNt6xrHaD15ON9VFc4FAl+1WXESHG5pY29sYXNA
bGVkZ2VyLmZyAAoJEGg9eTjfVRXOzkIH/1SThfewrwo78bykaFM6aOdafaD5L7Ao
rnwTsyt8ipgoolEd+j4gC2fdphhw4Zde5M1YXbLH/K+QC99HsDR2GmD7oAPsccQC
dmst47lhSnyULUhAOfzC5USUs7jwFuNqX6TCf5B2Knym9f3CiyPKbKTZU894AH7d
jJmQUp05aU5f6Tp9ivcaJMUjPGT1l78fI3NR6UxqYkRKS9U3uFeMUBl3Y5QLkfMI
RrrVGciv05i7lkQl3pUX/t7luLKCFrnBqhHzLnOQujxOwLUUFEUeYiju9Ye8VdwY
oMcJSgRBhvTwgvL/WNi86yHE33B3IOxjEVMpDO5rlvHk6L2VRa4gZ60=
=M6VP
-----END PGP SIGNATURE-----

Save.

Verify the Ledger OpenSSL Public Key Verification Message.

gpg --verify ledger-key-verification-message.asc

Following message was shown to the author of this wiki page:

gpg: Signature made Wed 18 Nov 2020 12:27:13 PM EST
gpg:                using RSA key BAE88B19F6E323236DEB1AC7683D7938DF5515CE
gpg:                issuer "nicolas@ledger.fr"
gpg: Good signature from "Nicolas Bacca (Ledger) <nicolas@ledger.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BAE8 8B19 F6E3 2323 6DEB  1AC7 683D 7938 DF55 15CE

Ledger OpenSSL Public Key[edit]

Open a new file ~/ledgerlive.pem in a text editor.

Paste Ledger Live's OpenSSL public key (ECDSA).

-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI
CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA==
-----END PUBLIC KEY-----

Make sure that the actual key part MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA== matches from Ledger OpenSSL Public Key Verification Message.

Save.

Unfortunately Ledger OpenSSL Public Key does not exactly match Ledger OpenSSL Public Key Verification Message.

- -----BEGIN PUBLIC KEY----- versus -----BEGIN PUBLIC KEY-----.

- -----END PUBLIC KEY----- versus - -----END PUBLIC KEY-----.

The extraneous space and dash - was introduced by gpg during Ledger OpenSSL Public Key Verification Message creation of the Ledger developer. To verify that for yourself, create your own gpg signing key, clearsign a file containing - and have a look the the containing gpg clearsigned file. Original, unsigned - becomes - - in clearsigned file.

Another source for the Ledger OpenSSL Public Key:

https://github.com/LedgerHQ/ledger-live-desktop/blame/develop/src/main/updater/ledger-pubkey.jsarchive.org

It is mentioned here:

https://github.com/LedgerHQ/ledger-live-desktop/issues/2877#issuecomment-729835953archive.org

Download Ledger Live AppImage[edit]

These instructions where written for Ledger Live version 2.73.1. If another version is used or newer versions are released meanwhile, replace 2.73.1 with the actual version number being downloaded.

In that case, feel free to suggest an update to Template:version_ledger_live. (Scammers note: Do not bother attempting to add malicious contents as all wiki edits are moderated by wiki admins before these go live.)

Download the Ledger Live AppImage.

scurl-download https://download.live.ledger.com/ledger-live-desktop-2.73.1-linux-x86_64.AppImage

sha512 Hashes File Download[edit]

Download the Ledger Live sha512 Hashes file.

https://www.ledger.com/ledger-live/lld-signaturesarchive.orgledger-live-desktop-2.73.1.sha512sum → right click → Save link as...

sha512sum Hashes file Signature Download[edit]

Download the signature of sha512sum hashes file.

https://www.ledger.com/ledger-live/lld-signaturesarchive.orgledger-live-desktop-2.73.1.sha512sum.sig → right click → Save link as...

Verify sha512 Hashes File Signature[edit]

Verify the ledger live sha512 Hashes file.

openssl dgst -sha256 -verify ledgerlive.pem -signature ledger-live-desktop-2.73.1.sha512sum.sig ledger-live-desktop-2.73.1.sha512sum

Should show:

Verified OK

Verify Ledger Live[edit]

Verify Ledger Live by verifying the Ledger Live sha512 hashes file.

sha512sum --ignore-missing --check ledger-live-desktop-2.73.1.sha512sum

Should show:

ledger-live-desktop-2.73.1-linux-x86_64.AppImage: OK

Setup Instructions[edit]

See Ledger Live Application Installation.

Footnotes[edit]

  1. Otherwise file paths need to be manually adjusted by the user.
  2. Other prior cd /path/to/folder required.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!