Verifying Mullvad Browser signature

MULLVAD BROWSER

Last updated: 15 May 2023


Learn how to verify the Mullvad browser

Install GnuPG

First you need to get GnuPG (GPG) version 2.1 or newer. Avoid the legacy 1.4 version of GnuPG.

Linux

Many Linux distros come with GnuPG already installed. If not, you can usually install it via the default package manager under the package name gnupg2.

macOS

Install GnuPG 2.2 via Homebrew by running brew install gnupg.

Windows

You can install the Gpg4win package available on the official GnuPG website. After doing that, the gpg command should be available in the console.

Download the Tor Browser Developers signing key

The fingerprint of the code signing key is EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 and it can be downloaded from TOR:

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

Trust the signing key

Once you have downloaded the signing key you should set the trust level to "ultimate" so that it can be used to automatically verify all the keys signed by the Mullvad signing key. This step can be skipped, but then a warning will be printed during each file verification saying that the key is not certified with a trusted signature.

To open the GnuPG key edit prompt, run

gpg --edit-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

 

You should get the following output.


gpg (GnuPG) 2.3.7; Copyright (C) 2021 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  rsa4096/4E2C6E8793298290
     created: 2014-12-15  expires: 2025-07-21  usage: C   
     trust: unknown       validity: unknown
The following key was revoked on 2015-08-26 by RSA key 4E2C6E8793298290 Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub  rsa4096/2D000988589839A3
     created: 2014-12-15  revoked: 2015-08-26  usage: S   
sub  rsa4096/EB774491D9FF06E2
     created: 2018-05-26  expired: 2022-01-04  usage: S   
sub  rsa4096/E53D989A9E2D47BF
     created: 2021-09-17  expires: 2023-09-17  usage: S   
[ unknown] (1). Tor Browser Developers (signing key) <torbrowser@torproject.org>

 

Enter key trust configuration

Run gpg> trust

You should get the output:


pub  rsa4096/4E2C6E8793298290
     created: 2014-12-15  expires: 2025-07-21  usage: C   

     trust: unknown       validity: unknown

The following key was revoked on 2015-08-26 by RSA key 4E2C6E8793298290 Tor Browser Developers (signing key) <torbrowser@torproject.org>

sub  rsa4096/2D000988589839A3

     created: 2014-12-15  revoked: 2015-08-26  usage: S   

sub  rsa4096/EB774491D9FF06E2

     created: 2018-05-26  expired: 2022-01-04  usage: S   

sub  rsa4096/E53D989A9E2D47BF

     created: 2021-09-17  expires: 2023-09-17  usage: S   

[ unknown] (1). Tor Browser Developers (signing key) <torbrowser@torproject.org>

 

Please decide how far you trust this user to correctly verify other users' keys

(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say

  2 = I do NOT trust

  3 = I trust marginally

  4 = I trust fully

  5 = I trust ultimately

  m = back to the main menu

Set trust level

Enter '5' and then 'yes'.

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

You should get the following output.



pub  rsa4096/4E2C6E8793298290

     created: 2014-12-15  expires: 2025-07-21  usage: C   

     trust: ultimate      validity: unknown

The following key was revoked on 2015-08-26 by RSA key 4E2C6E8793298290 Tor Browser Developers (signing key) <torbrowser@torproject.org>

sub  rsa4096/2D000988589839A3

     created: 2014-12-15  revoked: 2015-08-26  usage: S   

sub  rsa4096/EB774491D9FF06E2

     created: 2018-05-26  expired: 2022-01-04  usage: S   

sub  rsa4096/E53D989A9E2D47BF

     created: 2021-09-17  expires: 2023-09-17  usage: S   

[ unknown] (1). Tor Browser Developers (signing key) <torbrowser@torproject.org>

Please note that the shown key validity is not necessarily correct

unless you restart the program.

Quit

Run gpg> q

Verify the Mullvad browser

To verify the installer of the Mullvad browser app you need the signature file. The signature file is a file with the exact same filename as the browser, but with .asc appended at the end. Download the signature file for the Mullvad browser release you wish to verify, they are found under Downloads, and then click on the relevant signature file. The signature file must be placed in the same directory as the browser for this to work.

Do the actual verification

The following command will try to verify all signature files starting with "mullvad-browser- " and with the file extension ".asc". But please replace this wildcard name with the actual full name of your signature file if you want to.

Make sure that the command matches the filename that you downloaded.

gpg --verify mullvad-browser-*.asc

If you have multiple .asc files in the same folder then use the full filename or the verification may fail.

You should get the following output. (The example below is done using the Linux files, it should show the matching file you are trying to verify)


gpg: assuming signed data in 'mullvad-browser-linux64-12.0a10_ALL.tar.xz'

gpg: Signature made Mon Mar 27 14:50:26 2023 CEST

gpg:                using RSA key E53D989A9E2D47BF

gpg: checking the trustdb

gpg: marginals needed: 3  completes needed: 1  trust model: pgp

gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: next trustdb check due at 2025-07-21

gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [ultimate]

The important part above is that the output starts with

Filename you want to verify :

and ends with

Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"