Ledger-live-desktop: Sign all release binaries

Created on 9 Jul 2018  路  27Comments  路  Source: LedgerHQ/ledger-live-desktop

  • [x] I have checked this feature was not yet requested.

Part of the application

Application binary

Description

Previous releases such as the Ledger Chrome manager/wallet and Ledger standalone apps had all been signed using the key infrastructures of Google and the Ledger wallet itself.

However, the binaries offered for release are not signed by PGP or another method. It's therefore impossible to protect against malicious modifications of the binaries.

A public key for signing should be announced on the Ledger website, and then the current and all future release binaries should be signed with the corresponding private key.

Most helpful comment

Checksums are a good start but they should be signed with a company issued PGP key to ensure trust.

All 27 comments

The app binaries for Windows & macOS are signed using Ledger certificate (see here for win, macOS certificate is signed at compile time).

For Linux builds it's not yet the case but we are evaluating different solutions/alternatives (display md5sum on app website? sign .AppImage?).

Or you can compile the app on your side ;)

I'm not sure if Ledger has a PGP signing key, but if you don't, it's trivial to create one, publicise it, and then use that key to sign the hashlist file. It's the industry standard of signing binaries and is used by pretty much every competent cryptocurrency coin team such as Bitcoin, Ethereum or Monero

A list of secure hashes such as SHA256 or SHA3 (MD5 is not secure, since it has known collision attacks) is not a good way of ensuring file security, since the hash is stored on the same server as the binary and will be compromised at the same time, assuming a breach occurs.

An AppImage can carry a signature inside the AppImage file. appimagetool can sign using the -s option if GPG(2) is configured properly.

Agreed, Ledger needs to be signing a hashlist with a PGP key. I would recommend not installing ledger live until they have taken this basic security step.

yes please! any news ledger?

@thijstriemstra we are currently working on automating our release process, for now you can check the sha512 sum in the latest-[platform].yml files pushed with the release.

Note - for at least Linux, the checksum in the file is actually sha512 (and in base64). The following worked for me:
sha512sum ledger-live-desktop-1.0.2-linux-x86_64.AppImage| cut -f1 -d\ | xxd -r -p | base64
Result:
/9B31ripdMWRGVAa1zAErLW6lJ5EpA5OTdBW/xqtVWpmYlPUMGNI/SRiNxI6YIevmtltIeSZWsKN
ZVlReg9cmA==

Oops thx for pointing it out. It should definitely be documented somewhere :+1:

Checksums are a good start but they should be signed with a company issued PGP key to ensure trust.

on Mac, the command is

/usr/local/bin/shasum -a 512 ledger-live-desktop-1.1.11-mac.dmg | cut -f1 -d\ | xxd -r -p | base64

I'm quite surprised that there are no signatures for these releases. Any timeline on this, @meriadec? Downloading an unsigned binary and double-clicking it without any checks is not something I can recommend to anyone using cryptocurrencies...

To create a detached PGP signature, use gpg -a --output <signature.sig> --detach-sig <ledgerlive.appimage>. The PGP key should use an appropriate algorithm and have reasonably low key lifetime. You could publish the key via your website or via https://keybase.io/. The latter would be better, because you can link trust in your key with trust in your website and Github / social media accounts.

Hey @dbrgn, it's not for the next release but I hope it will be there in ~1month.

You can follow what's been done on this subject for now on this branch. Remaining work should be < 3 days but team is currently focused on developing the mobile app.

@meriadec thanks! I just don't understand what the deal is though. Creating a PGP key is free and takes 5 minutes. There's even PGP support on the Ledger, so key management should also be a non-issue. And creating a detached signature also doesn't take more than a minute. Why not add signatures for the next release, and also sign all releases that have been created so far? Github allows adding more files to releases later on.

Thanks for your work!

Edit: Ah, now I realize that you have an auto-updater, and that you're building signature checks into that. That's very nice, looking forward to it! For the current releases, adding signatures manually still wouldn't hurt though :slightly_smiling_face:

@dbrgn we will hopefully have it all solved soon & we'll explain more everything we are setting up once shipped :)

@gre Yep, I hope you saw my edit above :slightly_smiling_face:

Yes it would take 5 min to sign with my (or other dev) PGP key, but what's been decided with our security team is to use the company key via a multi-signature process (e.g require 5 people to sign). And the process is not yet finalized/automatized yet.

But fair point about manually signing the next release files, with a simple single key. WDYT @gre? IMO it's a good trade-off regarding the delay on secure-update.

Any updates on this? There's no way I'm going to blindly install Ledger Live, we really need some signature checks as pointed out above. Thanks in advance, I'm looking forward to trying the new software.

Hi All,
I have had the same issue so created a Dockerfile that automatically builds the app from the source code (inside of a docker container). It works for me, if anybody is interested you can take a look: https://github.com/mkusanagi/ledger-live-desktop-builder

So is this resolved now? How can I check if I downloaded a trustworthy file?

To clarify, I am just a random person that happens to have some skills. I am not connected with the Ledger company anyhow (except owning their device), just shared some code that I created and use. For people that do not know what building from source is, or do not understand my code, I would recommend ignoring my post altogether and waiting for an official resolution.

Really, this is basic. As someone who just bought a new ledger I am disappointed to find out there is no signature available for Ledger Live. This does not do your brand any good.

we're working on it.

This issue was marked as closed, but the referenced commit (#1705) seems to only deal with updates pulled by an already-installed copy of the application.

Are there any plans to publish PGP (or other) signatures for the downloads on the ledger site and/or the github releases?

This seems to me to be the first step in a layered defense -- securing downloaded updates does little if the initially installed application is compromised, and end users have no way of verifying the integrity of the downloads.

Last time I heard you can use ledger it's so secure that you can run it with malware running on your machine it doesn't matter. So who cares? And the long mystery command like
"sha512sum ledger-live-desktop-1.0.2-linux-x86_64.AppImage| cut -f1 -d\ | xxd -r -p | base64" to verify is another way of saying "don't care about you noobs"

@greatbigwhiteworld PGP signatures have long been the standard for verifying that the software you鈥檙e installing is 1) what it鈥檚 supposed to be and 2) from the person or group you think it鈥檚 from. If you don鈥檛 understand how it works, read about it. After all, public key encryption is the same system underpinning the crypto currencies LedgerLive helps you collect.

I agree with the need for anyone to validate these hash.
It is already available but not documented yet, the short answer is it's there:

http://resources.live.ledger.app/public_resources/signatures/$FILENAME 
http://resources.live.ledger.app/public_resources/signatures/$FILENAME.sig

where FILENAME can be for instance ledger-live-desktop-1.15.0.sha512sum

( check the .sig is signed by ledger (ledger signature to document and/or public script to check) and check the build they downloaded have the same sha as the one in the sha512sum file. )

but we need to document it in a better way

@GreatBigWhiteWorld

Last time I heard you can use ledger it's so secure that you can run it with malware running on your machine it doesn't matter. So who cares?

My ledger may be safe, but as a general rule, I'd prefer to minimize the amount of malware I install on my computer.

And it's always better to make the attacker jump through two impossible hoops instead of just one, in case of an unpredictble failure; otherwise it's like you're waving a gun around saying "it's fine, the safety's on!"

(Great to hear gre's comment that they're working on a formal process!).

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kravens picture kravens  路  3Comments

ibiscp picture ibiscp  路  3Comments

ghost picture ghost  路  4Comments

pollastri-pierre picture pollastri-pierre  路  5Comments

NicolasDorier picture NicolasDorier  路  4Comments