This guide explains how you can verify that you have downloaded the authentic Mullvad Browser install file before you install it.
What this guide covers
First you have to install gpg (GnuPG) version 2.1 or newer. Avoid the legacy 1.4 version of gpg. It will allow you to use the
gpg command in the Terminal.
Many Linux distributions come with gpg already installed. If yours doesn't then you can install it with the default package manager using the package name gnupg2.
Download and install Gpg4win. It will allow you to use the
gpg command in the Command Prompt and it also comes with a GUI called Kleopatra. This guide uses the Command Prompt.
The Mullvad app is signed by the Tor Browser Developers signing key. The fingerprint of the key is:
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
This can be downloaded and imported using the following command:
gpg --auto-key-locate nodefault,wkd --locate-keys firstname.lastname@example.org
If the above command does not work then use Firefox or the Mullvad Browser to download the key and then import it using these commands:
cd Downloads gpg --import kounek7zrdx745qydx6p59t9mqjpuhdf
You can verify that the key is installed and show its fingerprint using this command:
gpg --fingerprint email@example.com
If you want to double-check that you have the correct key then you can visit the Tor Browser website and see that they show the same fingerprint (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290).
Once you have imported the signing key you can sign it with your own key. This step can be skipped, but then a warning will be printed during each file verification saying that the key is not certified with a trusted signature.
If you do not have a pgp key yet then you first have to create one using this command:
Enter your "Real name" (use a fake name if you want to be anonymous) and an "Email address" and enter "O". Then enter a password and click on OK.
To sign the Tor Browser Developers signing key use the following command:
gpg --sign-key firstname.lastname@example.org
You will see a long message with some revoked keys and in the end it shows the following:
pub rsa4096/4E2C6E8793298290 created: 2014-12-15 expires: 2025-07-21 usage: C trust: unknown validity: unknown Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 Tor Browser Developers (signing key) <email@example.com> This key is due to expire on 2025-07-21. Are you sure that you want to sign this key with your key "xxx <firstname.lastname@example.org>" (xxx)
Enter "y" to sign it and then enter your pgp key password.
To verify the Mullvad Browser install file you need the signature file for the same version of the Mullvad Browser that you downloaded. The signature file is a file with the exact same filename as the browser, but with .asc appended at the end. To download the signature file for the Mullvad Browser, click on the GPG signature button on the Downloads page for your platform.
Navigate into the folder where the files are with the
cd command and then run the following command:
gpg --verify mullvad-browser-*.asc
If you have multiple .asc files in the same folder then use the full filename or the verification may fail. For example:
gpg --verify mullvad-browser-linux-x86_64-13.0.4.tar.xz.asc
You should get the following output (the example below is using the Linux file).
gpg: assuming signed data in 'mullvad-browser-linux-x86_64-13.0.4.tar.xz' gpg: Signature made Thu Nov 23 11:24:40 2023 CET gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF gpg: Good signature from "Tor Browser Developers (signing key) <email@example.com>" [full]
If it says "checking the trustdb" then run the command again to show the output without that.