New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign all release binaries #942

Closed
plavirudar opened this Issue Jul 9, 2018 · 22 comments

Comments

Projects
None yet
@plavirudar
Copy link

plavirudar commented Jul 9, 2018

  • I have checked this feature was not yet requested.

Part of the application

Application binary

Description

Previous releases such as the Ledger Chrome manager/wallet and Ledger standalone apps had all been signed using the key infrastructures of Google and the Ledger wallet itself.

However, the binaries offered for release are not signed by PGP or another method. It's therefore impossible to protect against malicious modifications of the binaries.

A public key for signing should be announced on the Ledger website, and then the current and all future release binaries should be signed with the corresponding private key.

@meriadec

This comment has been minimized.

Copy link
Member

meriadec commented Jul 9, 2018

The app binaries for Windows & macOS are signed using Ledger certificate (see here for win, macOS certificate is signed at compile time).

For Linux builds it's not yet the case but we are evaluating different solutions/alternatives (display md5sum on app website? sign .AppImage?).

Or you can compile the app on your side ;)

@plavirudar

This comment has been minimized.

Copy link
Author

plavirudar commented Jul 9, 2018

I'm not sure if Ledger has a PGP signing key, but if you don't, it's trivial to create one, publicise it, and then use that key to sign the hashlist file. It's the industry standard of signing binaries and is used by pretty much every competent cryptocurrency coin team such as Bitcoin, Ethereum or Monero

A list of secure hashes such as SHA256 or SHA3 (MD5 is not secure, since it has known collision attacks) is not a good way of ensuring file security, since the hash is stored on the same server as the binary and will be compromised at the same time, assuming a breach occurs.

@probonopd

This comment has been minimized.

Copy link

probonopd commented Jul 9, 2018

An AppImage can carry a signature inside the AppImage file. appimagetool can sign using the -s option if GPG(2) is configured properly.

@Andrewskiz

This comment has been minimized.

Copy link

Andrewskiz commented Jul 10, 2018

Agreed, Ledger needs to be signing a hashlist with a PGP key. I would recommend not installing ledger live until they have taken this basic security step.

@thijstriemstra

This comment has been minimized.

Copy link

thijstriemstra commented Jul 16, 2018

yes please! any news ledger?

@meriadec

This comment has been minimized.

Copy link
Member

meriadec commented Jul 17, 2018

@thijstriemstra we are currently working on automating our release process, for now you can check the sha512 sum in the latest-[platform].yml files pushed with the release.

@thephez

This comment has been minimized.

Copy link

thephez commented Jul 17, 2018

Note - for at least Linux, the checksum in the file is actually sha512 (and in base64). The following worked for me:
sha512sum ledger-live-desktop-1.0.2-linux-x86_64.AppImage| cut -f1 -d\ | xxd -r -p | base64
Result:
/9B31ripdMWRGVAa1zAErLW6lJ5EpA5OTdBW/xqtVWpmYlPUMGNI/SRiNxI6YIevmtltIeSZWsKN
ZVlReg9cmA==

@meriadec

This comment has been minimized.

Copy link
Member

meriadec commented Jul 17, 2018

Oops thx for pointing it out. It should definitely be documented somewhere 👍

@Andrewskiz

This comment has been minimized.

Copy link

Andrewskiz commented Jul 17, 2018

Checksums are a good start but they should be signed with a company issued PGP key to ensure trust.

@pocin

This comment has been minimized.

Copy link

pocin commented Sep 25, 2018

on Mac, the command is

/usr/local/bin/shasum -a 512 ledger-live-desktop-1.1.11-mac.dmg | cut -f1 -d\ | xxd -r -p | base64

@meriadec meriadec referenced this issue Oct 4, 2018

Closed

hash #1561

@dbrgn

This comment has been minimized.

Copy link

dbrgn commented Oct 24, 2018

I'm quite surprised that there are no signatures for these releases. Any timeline on this, @meriadec? Downloading an unsigned binary and double-clicking it without any checks is not something I can recommend to anyone using cryptocurrencies...

To create a detached PGP signature, use gpg -a --output <signature.sig> --detach-sig <ledgerlive.appimage>. The PGP key should use an appropriate algorithm and have reasonably low key lifetime. You could publish the key via your website or via https://keybase.io/. The latter would be better, because you can link trust in your key with trust in your website and Github / social media accounts.

@meriadec

This comment has been minimized.

Copy link
Member

meriadec commented Oct 24, 2018

Hey @dbrgn, it's not for the next release but I hope it will be there in ~1month.

You can follow what's been done on this subject for now on this branch. Remaining work should be < 3 days but team is currently focused on developing the mobile app.

@dbrgn

This comment has been minimized.

Copy link

dbrgn commented Oct 25, 2018

@meriadec thanks! I just don't understand what the deal is though. Creating a PGP key is free and takes 5 minutes. There's even PGP support on the Ledger, so key management should also be a non-issue. And creating a detached signature also doesn't take more than a minute. Why not add signatures for the next release, and also sign all releases that have been created so far? Github allows adding more files to releases later on.

Thanks for your work!

Edit: Ah, now I realize that you have an auto-updater, and that you're building signature checks into that. That's very nice, looking forward to it! For the current releases, adding signatures manually still wouldn't hurt though 🙂

@gre

This comment has been minimized.

Copy link
Member

gre commented Oct 25, 2018

@dbrgn we will hopefully have it all solved soon & we'll explain more everything we are setting up once shipped :)

@dbrgn

This comment has been minimized.

Copy link

dbrgn commented Oct 25, 2018

@gre Yep, I hope you saw my edit above 🙂

@meriadec

This comment has been minimized.

Copy link
Member

meriadec commented Oct 25, 2018

Yes it would take 5 min to sign with my (or other dev) PGP key, but what's been decided with our security team is to use the company key via a multi-signature process (e.g require 5 people to sign). And the process is not yet finalized/automatized yet.

But fair point about manually signing the next release files, with a simple single key. WDYT @gre? IMO it's a good trade-off regarding the delay on secure-update.

@gpatkinson

This comment has been minimized.

Copy link

gpatkinson commented Nov 22, 2018

Any updates on this? There's no way I'm going to blindly install Ledger Live, we really need some signature checks as pointed out above. Thanks in advance, I'm looking forward to trying the new software.

This was referenced Dec 12, 2018

@mkusanagi

This comment has been minimized.

Copy link

mkusanagi commented Dec 30, 2018

Hi All,
I have had the same issue so created a Dockerfile that automatically builds the app from the source code (inside of a docker container). It works for me, if anybody is interested you can take a look: https://github.com/mkusanagi/ledger-live-desktop-builder

@de-tributis

This comment has been minimized.

Copy link

de-tributis commented Dec 30, 2018

So is this resolved now? How can I check if I downloaded a trustworthy file?

@mkusanagi

This comment has been minimized.

Copy link

mkusanagi commented Dec 30, 2018

To clarify, I am just a random person that happens to have some skills. I am not connected with the Ledger company anyhow (except owning their device), just shared some code that I created and use. For people that do not know what building from source is, or do not understand my code, I would recommend ignoring my post altogether and waiting for an official resolution.

@danra

This comment has been minimized.

Copy link

danra commented Jan 10, 2019

Really, this is basic. As someone who just bought a new ledger I am disappointed to find out there is no signature available for Ledger Live. This does not do your brand any good.

@gre

This comment has been minimized.

Copy link
Member

gre commented Jan 10, 2019

we're working on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment