Actions

How-to: Ledger Live Download with Digital Signature Verification

From Whonix



Introduction[edit]

Ambox warning pn.svg.png This wiki page must not be considered by itself. Read the Ledger Hardware Wallet wiki page first.

Ambox warning pn.svg.png Testers only!

Download and Digital Software Verification[edit]

Introduction[edit]

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

At time of writing, ledger did not provide OpenPGP (gpg) digital software signatures [archive]. Performing digital software signature verification for the ledger live software requires openssl which is an even more cumbersome process than using gpg. Digital software signature verification is however highly recommended.

As always, do your own research on what is a legitimate domain name versus a scam domain name! Related: https://t.me/s/Whonix_All_News/10 [archive]

[1]

Store all downloaded files in the same folder for simplicity. [2] User home folder would be most simple. [3]

Ambox warning pn.svg.png Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This warning is strongly related to Verifying Software Signatures page.

Ambox notice.png These Ledger Live digital signature verification instructions are alternative. Can be seen as inspiration. A compilation of various information available on the internet. The user is free to question and ignore anything written here. In case of issues, refer to the information from the official Ledger homepage. Support requests should be directed at Ledger, not Whonix ™. See also Free Support Principle.

Ambox warning pn.svg.png If the wiki page digital software signature verification was read and understood, it should be clear by now, that anything written here conceptually cannot be trusted and should be independently verified by the user.

Ledger Developer OpenPGP Public Key[edit]

Key was found here:

Key fingerprint was found here:

Open a new file ~/ledger-developer-public-key.asc in a text editor.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFRcc7kBCADPzzR0VK6tPTUmPSz0L2t56idtdGglW67GIcdl4pH2qI8p4ZQO
qWv3r2ICjTBRsgU895UjvldfR9NM9pUHm7+LWrrCOwlwshoI6D8uY07jJ0ghzN+o
UyR7kZXI/Fy0AzcpXYllcSZstNWv4vQvFbEK6ygIa5RnoxS6tBCh/bzgXjEb3W+N
AsI1HbBJWTGRDOG0hCs5RIzi3Cdu84noYvR+jb1elmIWWPj7sNkjA9il5zNghoWN
1IKFWu7wpXdyMZU2z55D/IZhSiLVUu8a/ck+WApC4mYEKxmGXsxqUAhjq7O1WTkp
bNUk+rsXmkrSXIEYTD3bG+I/whJjr0vE/vefABEBAAG0Kk5pY29sYXMgQmFjY2Eg
KExlZGdlcikgPG5pY29sYXNAbGVkZ2VyLmZyPokBOAQTAQIAIgUCVFxzuQIbAwYL
CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQaD15ON9VFc4IQQf/XROBFfPzH5R4
uXGFXJx7NNf3woGXLTKWJizjvaYXEfIA45X6ku/PJ2EKtVrLkmAiF3lMumEgOmLP
+t4CAJq6xUHGXXSq/S9Jgt6G5jo942pocYKHy0m/GK5l90j0gLlFTp3fPNP0DhMy
P98gWBeBlY2Eu2I517COKDgVMk5HEBV0r1QicHo0OPpvbfLuv2hurKOSI9iGNS0G
wu9/inks7BiaEZoFr54R1Yhdku4MPxnvc4sQ5gcM/EJ3UKrGLJOwea4Tqtc74zVd
gBonleHhrJ9X68fQya2YeNuAhdV3Ei5AYZHETNqa7gcF4pWcogongHkKOrWB0o7w
/igsNEYOWLkBDQRUXHO5AQgA20UcIKTjG2IfqZpuNw74j3WbBjnqDB1J3rzwOJ5Z
QgWvWf18ybxYHM0GlZVRaXuf+H8FV0unMeNoyUt+N66SXdr4S5wdeJZO3D5QQ+xy
GlD+c969lOTZQTMBpoM6ETmA7OC5Hf2wowKcPvbvcrkG3r9PRjgcvdYfzTb1JoZ0
juEnzgSLQEAU3lxRbw6+HNCQdXyXToHHOTMqAzEBq8Q859y+tzHhYP2KoKSSmCfK
QF8wnLRfJaYRfWGL/DUSLMfGa0JImg1PXaNAvwNqJB1hjB8d8zyuZpOlMhnA1ab/
C7KrnayXtFZvyKVNKT0luW/7TPw3+CqpSdHXhcC1sUd+EQARAQABiQEfBBgBAgAJ
BQJUXHO5AhsMAAoJEGg9eTjfVRXO2Z8H/AxSIQMokp+S0BfHNESx5UuM9WnacDgJ
VMg1mwg32g9aw0jyUfslLgwd31/Z1NxxL1D8af5gNV5iWPoyRXP4pJZVuDHvmJE2
ULkKZgABiIazpDD3zL7aKBZ6/URY6XWrXs3b47ea2cvNctJdqjsiAPXEHGKMMoaQ
CfMhI0+7OKjjt6rFCEW8ZwhN2Xntjj7GqZhii23tgAPrrFzsVignrCogc3IGjowi
dd38UQcg/GxtF69gD56uB15opOr/1JddNga2xYAMzIUbJ81H7VVASg8N1lqdOGCM
zUy4DRfdLm3aWve2n4/cJQ857cpqWowvU7KKk5CE9gOuQddGRhqmnoc=
=UP/G
-----END PGP PUBLIC KEY BLOCK-----

gpg --import ~/ledger-developer-public-key.asc

Following message was shown to the author of this wiki page:

gpg: key 0x683D7938DF5515CE: public key "Nicolas Bacca (Ledger) <nicolas@ledger.fr>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg --fingerprint BAE88B19F6E323236DEB1AC7683D7938DF5515CE

Following message was shown to the author of this wiki page:

pub   rsa2048/0x683D7938DF5515CE 2014-11-07 [SC]
      Key fingerprint = BAE8 8B19 F6E3 2323 6DEB  1AC7 683D 7938 DF55 15CE
uid                   [ unknown] Nicolas Bacca (Ledger) <nicolas@ledger.fr>
sub   rsa2048/0xF8EBDECDBA9631CA 2014-11-07 [E]

Ledger OpenSSL Public Key Verification Message[edit]

Open a new file ~/ledger-key-verification-message.asc in a text editor.

Paste.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI
CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA==
- -----END PUBLIC KEY-----

is the correct public key used for Ledger Live releases

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEuuiLGfbjIyNt6xrHaD15ON9VFc4FAl+1WXESHG5pY29sYXNA
bGVkZ2VyLmZyAAoJEGg9eTjfVRXOzkIH/1SThfewrwo78bykaFM6aOdafaD5L7Ao
rnwTsyt8ipgoolEd+j4gC2fdphhw4Zde5M1YXbLH/K+QC99HsDR2GmD7oAPsccQC
dmst47lhSnyULUhAOfzC5USUs7jwFuNqX6TCf5B2Knym9f3CiyPKbKTZU894AH7d
jJmQUp05aU5f6Tp9ivcaJMUjPGT1l78fI3NR6UxqYkRKS9U3uFeMUBl3Y5QLkfMI
RrrVGciv05i7lkQl3pUX/t7luLKCFrnBqhHzLnOQujxOwLUUFEUeYiju9Ye8VdwY
oMcJSgRBhvTwgvL/WNi86yHE33B3IOxjEVMpDO5rlvHk6L2VRa4gZ60=
=M6VP
-----END PGP SIGNATURE-----

Save.

Verify the Ledger OpenSSL Public Key Verification Message.

gpg --verify ledger-key-verification-message.asc

Following message was shown to the author of this wiki page:

gpg: Signature made Wed 18 Nov 2020 12:27:13 PM EST
gpg:                using RSA key BAE88B19F6E323236DEB1AC7683D7938DF5515CE
gpg:                issuer "nicolas@ledger.fr"
gpg: Good signature from "Nicolas Bacca (Ledger) <nicolas@ledger.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BAE8 8B19 F6E3 2323 6DEB  1AC7 683D 7938 DF55 15CE

Ledger OpenSSL Public Key[edit]

Open a new file ~/ledgerlive.pem in a text editor.

Paste Ledger Live's OpenSSL public key (ECDSA).

-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI
CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA==
-----END PUBLIC KEY-----

Make sure that the actual key part MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA== matches from Ledger OpenSSL Public Key Verification Message.

Save.

Unfortunately Ledger OpenSSL Public Key does not exactly match Ledger OpenSSL Public Key Verification Message.

- -----BEGIN PUBLIC KEY----- versus -----BEGIN PUBLIC KEY-----.

- -----END PUBLIC KEY----- versus - -----END PUBLIC KEY-----.

The extraneous space and dash - was introduced by gpg during Ledger OpenSSL Public Key Verification Message creation of the Ledger developer. To verify that for yourself, create your own gpg signing key, clearsign a file containing - and have a look the the containing gpg clearsigned file. Original, unsigned - becomes - - in clearsigned file.

Another source for the Ledger OpenSSL Public Key:

https://github.com/LedgerHQ/ledger-live-desktop/blame/develop/src/main/updater/ledger-pubkey.js [archive]

It is mentioned here:

https://github.com/LedgerHQ/ledger-live-desktop/issues/2877#issuecomment-729835953 [archive]

Download Ledger Live AppImage[edit]

Ambox notice.png These instructions where written for Ledger Live version 2.21.3. If another version is used or newer versions are released meanwhile, replace 2.21.3 with the actual version number being downloaded.

In that case, feel free to suggest an update to Template:version_ledger_live. (Scammers note: Do not bother attempting to add malicious contents as all wiki edits are moderated by wiki admins before these go live.)

Download the Ledger Live AppImage.

scurl-download https://github.com/LedgerHQ/ledger-live-desktop/releases/download/v2.21.3/ledger-live-desktop-2.21.3-linux-x86_64.AppImage

sha512 Hashes File Download[edit]

Download the Ledger Live sha512 Hashes file.

https://validate.live.ledger.com/lld-signatures [archive]ledger-live-desktop-2.21.3.sha512sum → right click → Save link as...

sha512sum Hashes file Signature Download[edit]

Download the signature of sha512sum hashes file.

https://validate.live.ledger.com/lld-signatures [archive]ledger-live-desktop-2.21.3.sha512sum.sig → right click → Save link as...

Verify sha512 Hashes File Signature[edit]

Verify the ledger live sha512 Hashes file.

openssl dgst -sha256 -verify ledgerlive.pem -signature ledger-live-desktop-2.21.3.sha512sum.sig ledger-live-desktop-2.21.3.sha512sum

Should show:

Verified OK

Verify Ledger Live[edit]

Verify Ledger Live by verifying the Ledger Live sha512 hashes file.

sha512sum --check ledger-live-desktop-2.21.3.sha512sum

Should show:

ledger-live-desktop-2.21.3-linux-x86_64.AppImage: OK
sha512sum: ledger-live-desktop-2.21.3-mac.dmg: No such file or directory
ledger-live-desktop-2.21.3-mac.dmg: FAILED open or read
sha512sum: ledger-live-desktop-2.21.3-mac.zip: No such file or directory
ledger-live-desktop-2.21.3-mac.zip: FAILED open or read
sha512sum: ledger-live-desktop-2.21.3-win.exe: No such file or directory
ledger-live-desktop-2.21.3-win.exe: FAILED open or read
sha512sum: WARNING: 3 listed files could not be read

Alternatively one could run the following command.

sha512sum ledger-live-desktop-2.21.3-linux-x86_64.AppImage

And then compare the actual sha512 hash with the sha512 hash as in Ledger Live sha512 hashes file.

Setup Instructions[edit]

See Ledger Live Application Installation.

Footnotes[edit]



text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Ledger Live Installation with Verification&body=https://www.whonix.org/wiki/Ledger_Live_Installation_with_Verification link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Ledger_Live_Installation_with_Verification&title=Ledger Live Installation with Verification link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Ledger_Live_Installation_with_Verification&t=Ledger Live Installation with Verification link=https://mastodon.technology/share?message=Ledger Live Installation with Verification%20https://www.whonix.org/wiki/Ledger_Live_Installation_with_Verification&t=Ledger Live Installation with Verification

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.