These scripts can be used to verify and install Ledger Live on Linux.
The scripts will allow you to easily verify and install another version of Ledger Live whenever needed.
Ledger Live as well as the apps you install on it are open source, but the firmware is closed source. If this is a concern for you, then take a look at Trezor which is open source or Coldcard which has viewable, editable, and verifiable source code and only supports Bitcoin.
π Check out the Code Monkeys Blog!
π₯ Subscribe to the Code Monkeys YouTube Channel!
Before running the verification and installation scripts for Ledger Live you should verify the scripts. This will minimize the possibility of the scripts being compromised. To perform the verification you'll need to have gnupg
and curl
installed which are most likely already installed on your system, but if not here's how to install them:
sudo pacman -S gnupg
sudo apt install -y gnupg
sudo pacman -S curl
sudo apt install -y curl
Now you need to import the public key that signed the manifest file which you can do by running the following command:
curl https://keybase.io/codemonkeystech/pgp_keys.asc | gpg --import
You're now ready to verify the manifest file. You will need to have the ledger-live-verify-and-install-manifest.sha512sum
and the ledger-live-verify-and-install-manifest.sha512sum.asc
files which should be in the same directory as the scripts from downloading the repository.
To verify the manifest file run the following command:
gpg --verify ledger-live-verify-and-install-manifest.sha512sum.asc
You should see the following if the verification was successful:
gpg: assuming signed data in 'ledger-live-verify-and-install-manifest.sha512sum'
gpg: Signature made Tue 09 May 2023 07:03:04 PM EDT
gpg: using RSA key FCFFD7771CCA9DC3A75EB51AD70C28777CBE04A5
gpg: Good signature from "Jay the Code Monkey <[email protected]>" [ultimate]
gpg: aka "Jay the Code Monkey <[email protected]>" [ultimate]
gpg: aka "[jpeg image of size 3958]" [ultimate]
Primary key fingerprint: B7E6 FB94 A589 876C CFC2 1E4B 1E07 E75C 19F1 AE0E
Subkey fingerprint: FCFF D777 1CCA 9DC3 A75E B51A D70C 2877 7CBE 04A5
Unless you tell GnuPG to trust the key, you'll see a warning similar to the following:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This warning means that the key is not certified by another third party authority. If the downloaded file was a fake, then the signature verification process would fail and you would be warned that the fingerprints don't match.
When you get a warning like this it's also good practice to check the key against other sources, e.g., the Code Monkeys Keybase or the Code Monkeys Blog.
You have now verified the signature of the manifest file which ensures the integrity and authenticity of the file but not the verification and installation scripts.
To verify the verification and installation scripts you'll need to recompute the SHA512 hashes of the files, compare them with the corresponding hashes in the manifest file, and ensure they match exactly which you can do by running the following command:
sha512sum --check ledger-live-verify-and-install-manifest.sha512sum
If the verification was successful you should see the following output:
./install-ledger-live.sh: OK
./verify-ledger-live.sh: OK
By completing the above steps you will have successfully verified the integrity of the verification and installation scripts, so you can now run the scripts whenever you need to verify and install another version of Ledger Live.
If for some reason you believe the scripts you have downloaded have been compromised on your machine you can always rerun the above commands again to ensure the integrity of the files.
To mitigate the possibility of anyone tampering with these scripts you can encrypt the files using, e.g., GnuPG.
gpg -c verify-ledger-live.sh
gpg -c install-ledger-live.sh
gpg verify-ledger-live.sh.gpg
gpg install-ledger-live.sh.gpg
The following programs are needed to run the scripts. They're most likely already installed, but if not here's how to install them:
sudo pacman -S coreutils
sudo apt install -y coreutils
sudo pacman -S openssl
sudo apt install -y openssl
It's a good idea whenever buying a hardware wallet online (as well as everything else) to use as little Personally Identifiable Information (PII) as possible.
This will mitigate the leaking of PII to the company, any third parties they may be using with their site, hackers, governments, etc.
Here are some tips when shopping online to help you preserve your privacy:
-
You should conceal your IP address when visiting the website or any websites related to the product you're purchasing by using a trusted VPN that you ideally paid for privately, that is open source, claims to not log, etc., e.g., IVPN or Mullvad
-
You also have the option of using Tor to conceal your IP address and if the site offers an onion address you should use it
-
Provide only the minimum amount of information that is required to complete the purchase and don't set up an account unless required
-
Use a pseudonym for your name, an aliased/burner email, an aliased/burner phone number, etc.
-
Don't use your home address or any other address that is easily tied to you for shipping instead use a P.O. box, UPS box, Amazon box, a random address not associated with you, etc.
- You should set up the mailing solution with as little PII as possible as well
-
Use a private payment method
The above suggestions are not an exhaustive list and do not guarantee you will remain anonymous when purchasing or using the products. There are always trade-offs between privacy, security, convenience, cost, etc., so consider your threat model and come up with a solution that works best for you.
Here are some tips when using Ledger Live to help you preserve your privacy:
-
Conceal your IP address using a trusted VPN or Tor as described in the above section
-
Use your own node or a node you trust if possible, e.g., when transacting with Bitcoin to prevent leaking your xpub and other PII to Ledger's nodes
-
Set any privacy settings within the application
-
Another option is to use Sparrow on desktop instead of Ledger Live when transacting with Bitcoin
To be able to execute the scripts run the following commands:
chmod u+x verify-ledger-live.sh
chmod u+x install-ledger-live.sh
Running chmod u+x
on the files grants only the owner of the file execution permissions.
Then verify Ledger Live by running:
./verify-ledger-live.sh
If the verification is successful then install Ledger Live by running:
./install-ledger-live.sh