How-to: Ledger Live Download with Digital Signature Verification
Donate
Download and Digital Signature Verification of the Ledger Live cryptocurrency software.
Introduction[edit]
This wiki page must not be considered by itself. Read the Ledger Hardware Wallet wiki page first.
Testers only!
Download and Digital Software Verification[edit]
Introduction[edit]
- Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
- Optional, not required: Digital signatures are optional and not mandatory for using Kicksecure, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
- Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.
At time of writing, ledger did not provide OpenPGP (gpg) digital software signatures
. Performing digital software signature verification for the ledger live software requires openssl which is an even more cumbersome process than using gpg. Digital software signature verification is however highly recommended.
As always, do your own research on what is a legitimate domain name versus a scam domain name! Related: https://t.me/s/Whonix/10
Store all downloaded files in the same folder for simplicity. [2] User home folder would be most simple. [3]
Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This warning is strongly related to Verifying Software Signatures page.
These Ledger Live digital signature verification instructions are alternative. Can be seen as inspiration. A compilation of various information available on the internet. The user is free to question and ignore anything written here. In case of issues, refer to the information from the official Ledger homepage. Support requests should be directed at Ledger, not Kicksecure. See also Self Support First Policy.
If the wiki page digital software signature verification was read and understood, it should be clear by now, that anything written here conceptually cannot be trusted and should be independently verified by the user.
Ledger Developer OpenPGP Public Key[edit]
Key was found here:
- https://keybase.io/nicolab
- https://keybase.io/nicolab#show-public
- https://keybase.io/nicolab/pgp_keys.asc
- publish Ledger developer OpenPGP (gpg) key on ledger.com
Key fingerprint was found here:
- https://www.reddit.com/r/KeybaseProofs/comments/3ef1l4/my_keybase_proof_redditbtchip_keybasenicolab/
Open a new file ~/ledger-developer-public-key.asc in a text editor.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux) mQENBFRcc7kBCADPzzR0VK6tPTUmPSz0L2t56idtdGglW67GIcdl4pH2qI8p4ZQO qWv3r2ICjTBRsgU895UjvldfR9NM9pUHm7+LWrrCOwlwshoI6D8uY07jJ0ghzN+o UyR7kZXI/Fy0AzcpXYllcSZstNWv4vQvFbEK6ygIa5RnoxS6tBCh/bzgXjEb3W+N AsI1HbBJWTGRDOG0hCs5RIzi3Cdu84noYvR+jb1elmIWWPj7sNkjA9il5zNghoWN 1IKFWu7wpXdyMZU2z55D/IZhSiLVUu8a/ck+WApC4mYEKxmGXsxqUAhjq7O1WTkp bNUk+rsXmkrSXIEYTD3bG+I/whJjr0vE/vefABEBAAG0Kk5pY29sYXMgQmFjY2Eg KExlZGdlcikgPG5pY29sYXNAbGVkZ2VyLmZyPokBOAQTAQIAIgUCVFxzuQIbAwYL CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQaD15ON9VFc4IQQf/XROBFfPzH5R4 uXGFXJx7NNf3woGXLTKWJizjvaYXEfIA45X6ku/PJ2EKtVrLkmAiF3lMumEgOmLP +t4CAJq6xUHGXXSq/S9Jgt6G5jo942pocYKHy0m/GK5l90j0gLlFTp3fPNP0DhMy P98gWBeBlY2Eu2I517COKDgVMk5HEBV0r1QicHo0OPpvbfLuv2hurKOSI9iGNS0G wu9/inks7BiaEZoFr54R1Yhdku4MPxnvc4sQ5gcM/EJ3UKrGLJOwea4Tqtc74zVd gBonleHhrJ9X68fQya2YeNuAhdV3Ei5AYZHETNqa7gcF4pWcogongHkKOrWB0o7w /igsNEYOWLkBDQRUXHO5AQgA20UcIKTjG2IfqZpuNw74j3WbBjnqDB1J3rzwOJ5Z QgWvWf18ybxYHM0GlZVRaXuf+H8FV0unMeNoyUt+N66SXdr4S5wdeJZO3D5QQ+xy GlD+c969lOTZQTMBpoM6ETmA7OC5Hf2wowKcPvbvcrkG3r9PRjgcvdYfzTb1JoZ0 juEnzgSLQEAU3lxRbw6+HNCQdXyXToHHOTMqAzEBq8Q859y+tzHhYP2KoKSSmCfK QF8wnLRfJaYRfWGL/DUSLMfGa0JImg1PXaNAvwNqJB1hjB8d8zyuZpOlMhnA1ab/ C7KrnayXtFZvyKVNKT0luW/7TPw3+CqpSdHXhcC1sUd+EQARAQABiQEfBBgBAgAJ BQJUXHO5AhsMAAoJEGg9eTjfVRXO2Z8H/AxSIQMokp+S0BfHNESx5UuM9WnacDgJ VMg1mwg32g9aw0jyUfslLgwd31/Z1NxxL1D8af5gNV5iWPoyRXP4pJZVuDHvmJE2 ULkKZgABiIazpDD3zL7aKBZ6/URY6XWrXs3b47ea2cvNctJdqjsiAPXEHGKMMoaQ CfMhI0+7OKjjt6rFCEW8ZwhN2Xntjj7GqZhii23tgAPrrFzsVignrCogc3IGjowi dd38UQcg/GxtF69gD56uB15opOr/1JddNga2xYAMzIUbJ81H7VVASg8N1lqdOGCM zUy4DRfdLm3aWve2n4/cJQ857cpqWowvU7KKk5CE9gOuQddGRhqmnoc= =UP/G -----END PGP PUBLIC KEY BLOCK-----
gpg --import ~/ledger-developer-public-key.asc
Following message was shown to the author of this wiki page:
gpg: key 0x683D7938DF5515CE: public key "Nicolas Bacca (Ledger) <nicolas@ledger.fr>" imported gpg: Total number processed: 1 gpg: imported: 1
gpg --fingerprint BAE88B19F6E323236DEB1AC7683D7938DF5515CE
Following message was shown to the author of this wiki page:
pub rsa2048/0x683D7938DF5515CE 2014-11-07 [SC]
Key fingerprint = BAE8 8B19 F6E3 2323 6DEB 1AC7 683D 7938 DF55 15CE
uid [ unknown] Nicolas Bacca (Ledger) <nicolas@ledger.fr>
sub rsa2048/0xF8EBDECDBA9631CA 2014-11-07 [E]
Ledger OpenSSL Public Key Verification Message[edit]
Open a new file ~/ledger-key-verification-message.asc in a text editor.
Paste.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - -----BEGIN PUBLIC KEY----- MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA== - -----END PUBLIC KEY----- is the correct public key used for Ledger Live releases -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEuuiLGfbjIyNt6xrHaD15ON9VFc4FAl+1WXESHG5pY29sYXNA bGVkZ2VyLmZyAAoJEGg9eTjfVRXOzkIH/1SThfewrwo78bykaFM6aOdafaD5L7Ao rnwTsyt8ipgoolEd+j4gC2fdphhw4Zde5M1YXbLH/K+QC99HsDR2GmD7oAPsccQC dmst47lhSnyULUhAOfzC5USUs7jwFuNqX6TCf5B2Knym9f3CiyPKbKTZU894AH7d jJmQUp05aU5f6Tp9ivcaJMUjPGT1l78fI3NR6UxqYkRKS9U3uFeMUBl3Y5QLkfMI RrrVGciv05i7lkQl3pUX/t7luLKCFrnBqhHzLnOQujxOwLUUFEUeYiju9Ye8VdwY oMcJSgRBhvTwgvL/WNi86yHE33B3IOxjEVMpDO5rlvHk6L2VRa4gZ60= =M6VP -----END PGP SIGNATURE-----
Save.
Verify the Ledger OpenSSL Public Key Verification Message.
gpg --verify ledger-key-verification-message.asc
Following message was shown to the author of this wiki page:
gpg: Signature made Wed 18 Nov 2020 12:27:13 PM EST gpg: using RSA key BAE88B19F6E323236DEB1AC7683D7938DF5515CE gpg: issuer "nicolas@ledger.fr" gpg: Good signature from "Nicolas Bacca (Ledger) <nicolas@ledger.fr>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BAE8 8B19 F6E3 2323 6DEB 1AC7 683D 7938 DF55 15CE
Ledger OpenSSL Public Key[edit]
Open a new file ~/ledgerlive.pem in a text editor.
Paste Ledger Live's OpenSSL public key (ECDSA).
-----BEGIN PUBLIC KEY----- MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA== -----END PUBLIC KEY-----
Make sure that the actual key part MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEN7qcsG6bogi1nkD3jnMWS813wWguYEcI
CRcijSvFskSFjHB5la4xUt+Omb2t6iUwop+JRy+EUhy0UQ9p/cPsQA== matches from Ledger OpenSSL Public Key Verification Message.
Save.
Unfortunately Ledger OpenSSL Public Key does not exactly match Ledger OpenSSL Public Key Verification Message.
- -----BEGIN PUBLIC KEY----- versus -----BEGIN PUBLIC KEY-----.
- -----END PUBLIC KEY----- versus - -----END PUBLIC KEY-----.
The extraneous space and dash - was introduced by gpg during Ledger OpenSSL Public Key Verification Message creation of the Ledger developer. To verify that for yourself, create your own gpg signing key, clearsign a file containing - and have a look the the containing gpg clearsigned file. Original, unsigned - becomes - - in clearsigned file.
Another source for the Ledger OpenSSL Public Key:
https://github.com/LedgerHQ/ledger-live-desktop/blame/develop/src/main/updater/ledger-pubkey.js
It is mentioned here:
https://github.com/LedgerHQ/ledger-live-desktop/issues/2877#issuecomment-729835953
Download Ledger Live AppImage[edit]
These instructions where written for Ledger Live version 2.73.1. If another version is used or newer versions are released meanwhile, replace 2.73.1 with the actual version number being downloaded.
In that case, feel free to suggest an update to Template:version_ledger_live. (Scammers note: Do not bother attempting to add malicious contents as all wiki edits are moderated by wiki admins before these go live.)
Download the Ledger Live AppImage.
scurl-download https://download.live.ledger.com/ledger-live-desktop-2.73.1-linux-x86_64.AppImage
sha512 Hashes File Download[edit]
Download the Ledger Live sha512 Hashes file.
https://www.ledger.com/ledger-live/lld-signatures → ledger-live-desktop-2.73.1.sha512sum → right click → Save link as...
sha512sum Hashes file Signature Download[edit]
Download the signature of sha512sum hashes file.
https://www.ledger.com/ledger-live/lld-signatures → ledger-live-desktop-2.73.1.sha512sum.sig → right click → Save link as...
Verify sha512 Hashes File Signature[edit]
Verify the ledger live sha512 Hashes file.
openssl dgst -sha256 -verify ledgerlive.pem -signature ledger-live-desktop-2.73.1.sha512sum.sig ledger-live-desktop-2.73.1.sha512sum
Should show:
Verified OK
Verify Ledger Live[edit]
Verify Ledger Live by verifying the Ledger Live sha512 hashes file.
sha512sum --ignore-missing --check ledger-live-desktop-2.73.1.sha512sum
Should show:
Setup Instructions[edit]
See Ledger Live Application Installation.
Footnotes[edit]
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!