To verify the Mullvad Browser, visit the following guide: https://mullvad.net/help/verifying-mullvad-browser-signature/
Learn how to verify the Mullvad VPN app releases.
Install GnuPG
First you need to get GnuPG (GPG) version 2.1 or newer. Avoid the legacy 1.4 version of GnuPG.
Linux
Many Linux distros come with GnuPG already installed. If not, you can usually install it via the default package manager under the package name gnupg2.
macOS
Install GnuPG 2.2 via Homebrew by running brew install gnupg in the Terminal app.
Windows
You can install the Gpg4win package available on the official GnuPG website. After doing that, the gpg command should be available in the Command Prompt.
Download and import the signing key
The fingerprint of our code signing key is A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF and it can be downloaded from our website or by using wget in a Linux Terminal:
wget https://mullvad.net/media/mullvad-code-signing.asc
Then import the key using the following command in the Terminal (Linux, macOS) or Command Prompt (Windows) in the folder where the key was downloaded:
gpg --import mullvad-code-signing.asc
Trust the signing key
Once you have downloaded the signing key you should set the trust level to "ultimate" so that it can be used to automatically verify all the keys signed by the Mullvad signing key. This step can be skipped, but then a warning will be printed during each file verification saying that the key is not certified with a trusted signature.
To open the GnuPG key edit prompt, enter the following command:
gpg --edit-key A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF
You should get this output:
gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/D5A1D4F266DE8DDF
created: 2016-10-27 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/C187D22C089EF64E
created: 2016-10-27 expires: never usage: E
sub rsa4096/A26581F219C8314C
created: 2016-10-27 expires: never usage: S
[ unknown] (1). Mullvad (code signing) <admin@mullvad.net>
Configure the key trust
At the gpg> prompt enter the following command:
trust
You should get this output:
pub rsa4096/D5A1D4F266DE8DDF
created: 2016-10-27 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/C187D22C089EF64E
created: 2016-10-27 expires: never usage: E
sub rsa4096/A26581F219C8314C
created: 2016-10-27 expires: never usage: S
[ unknown] (1). Mullvad (code signing) <admin@mullvad.net>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Set trust level
When it asks "Your decision?", type 5 and press Enter.
When it asks "Do you really want to set this key to ultimate trust?", type y and press Enter.
Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y
You should get this output:
pub rsa4096/D5A1D4F266DE8DDF created: 2016-10-27 expires: never usage: SC
trust: ultimate validity: unknown
sub rsa4096/C187D22C089EF64E
created: 2016-10-27 expires: never usage: E
sub rsa4096/A26581F219C8314C
created: 2016-10-27 expires: never usage: S
[ unknown] (1). Mullvad (code signing) <admin@mullvad.net>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Quit
At the gpg> prompt type q and press Enter.
Verify the Mullvad VPN app
To verify the installer of the Mullvad VPN app you need the signature file. The signature file is a file with the exact same filename as the installer, but with .asc appended at the end. Download the signature file for the Mullvad VPN app release you wish to verify, they are found under Download Client, and then click on the relevant signature file. The signature file must be placed in the same directory as the installer for this to work.
In this example, we will download the latest Mullvad VPN app for Debian and it's signature in a terminal.
wget --trust-server-names https://mullvad.net/download/app/deb/latest
wget --trust-server-names https://mullvad.net/download/app/deb/latest/signature
Do the actual verification
The following command will try to verify all signature files starting with "MullvadVPN-" and with the file extension ".asc". But please replace this wildcard name with the actual full name of your signature file if you want to.
gpg --verify MullvadVPN-*.deb.asc
If you have multiple .asc files in the same folder then use the full filename or the verification may fail.
You should get this output:
gpg: assuming signed data in 'MullvadVPN-2019.4_x86_64.rpm' gpg: Signature made Tue Jun 11 22:14:58 2019 CEST gpg: using RSA key CA83A46153BC58D69518ED49A26581F219C8314C gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Good signature from "Mullvad (code signing) <admin@mullvad.net>" [ultimate]
The important part above is that the output starts with
assuming signed data in '{Filename of installer you want to verify}'
and ends with
Good signature from "Mullvad (code signing) <admin@mullvad.net>".
Code signing key
Here is the code signing key in plain text:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFgRmCoBEAChee2rs/braqjqim1D+uvTBpPZzkpccJVb2SqhErQKs54iJVyo H5pNrGR4VIzFRUnY7fbATo2Ej+0MlglXahl4ok93XmeDz04P5rH2NKnLvWYdaK1C 9Lvpq22t1nytJuhc124UBahVVEYjc7l2+JGdTh7WvLj8FXqfnnmI1upVU48S70RL oM3tSDZqQaO3OGCc0znMNBGI/uKNNwc6Omm6KPvczOhci7bnKt0b0R6TrXufvgOG y1DM9sntIbXtpIjOuZdTWyrGTm/AvT6zddPFjN8SN6ZIfoRmJT6ROB6ZTtiz/d20 VJ87QPEfVRKrMImZxtkJtSliojZB/I3/bkP7A4pvgJ6cJ+ErwW4cfqc3DrWaZY+D 4AZnk71FA6C5rQdkFbfkgyUMY1WeKX+8N/R+e5oLGmoVI/fdHu1z0JkJJvEraAO9 +qX2mOcW5h/NRxv0Xw57fjMhnMha7bWs8Jn5AchDPJZs1U64Wr36FuSvcdxc0ON/ WaX4RL/J5OtJHu+2FB+UB1/JuICdOP07/KFxUJod43KwwBctLUHOOz3m1KIVcnXR l6+gNQ7vxGm+xghN/zG7lgPLuw5ToCCkMLkQydsRPRSlm0f2zqbQUD3jn+4zZ2ma HBHcu6Ld8SSGPp5XIauAKhqZA9IkD5VPgqlrm0iJ4emzPYGp7PMFFdH3qQARAQAB tCpNdWxsdmFkIChjb2RlIHNpZ25pbmcpIDxhZG1pbkBtdWxsdmFkLm5ldD6JAjUE EwEIAB8CGwMCHgECF4AFAlgR6R8ECwkIBwUVCgkICwQWAgMBAAoJENWh1PJm3o3f muQQAJElHN6lLhpOgrbRprJAR15HfRI0Leoomfu5V53Qieqf+6O3TF4PC9JRn+v8 NYOMsBmBgosvO8YcABA3wYTW6qyRGr+8zQePltEe/J9SE3oCbb4K5KWEThiicZ6R o0sJgXB3l0CIHVP+/3bWeZlBpTJNMLOEM+WsEsTe6v7hZfF7HIubVdKSIbQy7T3X nsk8840rt5LjJiNtSpsG+EJOIGEdXH5FAis35pTLrbkgnL3Evyjd2OW1grciqF+v 7aba2g/2zpEGEdtbJKO5C4nG9CHcN5BlaSev0oQlKWuRSG3igwauZFe/0RQPkH/V kCOHA3l8NTlublQCdLLLrJJyX7aODH+AKLaVci17ogtGwwO+xNh0h4ejM0QuMLYV giMCpxRT5uUuOHbh3by1rwTSb+8dvIw3KyW1TbZ6LFCQHX+8Zs7xU7KQ6tGZ6Pvr Fhk/YiM8J+Fe+rBGwEcUfo/ALv4p7qHpRVA7CvdrzKg66iaN+iPQzsptamoSLsCj SYbjIby74X0vppRAg7sDXiAxJSRPXM3h1xO83yk1HMrswwWAUuJeToYRXOHYl5zN i3E0D6I5Zk1ioO9XPE7oILwJ7YaO4XuC3UuNMwWPSvOoJxbnsUdHpenITvbpe9DP z4HGzZWbUtShFDq77MDhv9vkNaFUOgP7AfO5N/35pVCkI4m1uQINBFgRmCoBEADT 5YK+TLcGSzC4ML7t8VW+rVpYyY3pswX8dL058LYfCIrlaNa14/UvINvjA5529SWr jmmDluD8fqtMSFHw6l+XwPMOwvETAjaMLS6c/MLFmw2gHR2ARHBmLEn/ux9kZ03Y dEKak5wvkUVqLV7EgGnvfrI0FUw/gaIfdtAt0dcvpAG0bILXQtcYEj7BtiAdxiWL O8HMUzD7kj0Q2IUbA3bO4dAtJtXDyY+Ash/kqLzm+0kZtzk4FLWZT2CMw9l73mIT /f03+y8oBe1KhZ5FzqgUxQXdjV5hkWyFNbBn4+dsyoMltnVDPkRznIHDWJXiKUV+ buSQ+xewO/flwrwcgbdTtH5qfuxtNBA2AkVs/dul8FJHeSCB7at6Vy1m8/xFlxgc QOk/wwiDKLBub0uIE6TfNs7SvAOUuZP5syLQq8ZeyYMWGrWQKgAEmHlXr0uCrqVF O5vjaja8Zwc6wdApiFxjiBzl3z7UiE3fafpeO9nqLwaZqz0RPCEpvCrkpDi4Gl2W nfWmQbj2jEpUER1osJhvNRCEfA12IUWjp1vFJhy31i6gTXdCxVBasQrxpJBEZnuJ 57yIZ+FbdMI0wQD2OMdUYxx4o9p6aGwhotSBrgpM0cfZ5LruP6MjBfWKqLnZBuYk prqWeh5rgtXIebsiGYp7V3Ay9pcoilbzh53/wU6y+wARAQABiQIfBBgBCAAJBQJY EZgqAhsMAAoJENWh1PJm3o3fbfoP/RfOil8d3hNK+qgG4Xh46bF/UmGzorYbVzzP myXXRHTMh3/Br2tPOOnhP65nKJnv8pqCuK1UOJpfXUXDyRpAP7opiWRaS0gbU9s6 RBy499P/LyMmvZbM4YkpxwPJkC6JaITQ+ZtnPQp+MYLizsz5OD8utyfoPWDOdaEf 3JHOvupcItDL3DDKw5zPzrI6pKc0IMObO5VI/uU3BIf0x+FKh2rhMVMI+Psapotm qhpaPZoz/QPapS2WiMNr7cInLxx7/fv/RLEr5WSVn1eAKkKuXUO/VB5+h4GdP/YV boBW4wMneEEkJX3iLr/IM1GQdQK/db4fyWAKh7LhzS9ZCVMxm5BU6GkId7GI2jFE djmedt6iF6Tyk0/49WjU/qAZ9H0IHgpyNCwUqPpzWgRiiIbZryRXycht/rH6zuL1 8p5N6r7AgT6s6kCHfrNK/zxMOzylUuwng1EnLCmlg88PoCCQpaNFZkqwIR0LCh3p Xp8zAp+0Sx2td1FtjbEw+OaNCmmJoMqoejuw0nSOFdQUUNAB5WGeZQLoPaastanW ir6XcUChoy/1osuovAPNKpWWUxWDdW+62mV8s2ArkLzhgl0FmLZhu+VBKrQaNUKV WmPnMRZF6f1C3M8l5DtT1VzfEr1A9ON6uZzKITLlJdBltVFkV7qJTsxbsoj0AJj7 0VY4XEjauQINBFgR4mgBEACsFJ+BkT+yBxB0E2MNUAcW5stDgscDOJOAXS/ViYd8 68FqC87VnG+bgTqG2atRqb493RoCHwZyL3L9JniadSk35d9JEQBWzCPff+kEy5Uc bwzvSUJyCfjFdxU4YgH/bMt+RXi1mVjLcGTthRp4IfBxQcluI//rxP1kurrqq+lO wj7n+h1wxrdhvXXDiAeBJqlQcBjeT0VLc74PYQJ3SbpeX1aFaxsVATGpgXf3SWp+ 8vRCmzM9CnyZW8BeaXBrkwiZQEOeiqnQ0MWaD/8Fs6WWfiyoObJcadmS7HgqCfw7 SwjSUjSPAr+Vr02P83S59u8ql0RWtDI8CCXcSc1t4u52lvXBdO3nKa9+PeW64I+A UfqgJOmfhWZsoImV1pCx+RzY6luFp7H7JVACAi3Z1s24fsRhN5wVZ/hjKn7xGPv0 O+zFVGWXs/JKl6Bv7xMR0epL+D0d13ahPZYHyLqLfdeJwg2HT1BUAPy+QCy5rhzS iEjeygqVzwNTcBPnu1PFhzXSdGMvHKTFXwO5xPwqanvKUd9zH6Xxan5wAJL7yRPq 7/MSEqUFiE+OfVTeZ3PDduLrkrQm0ZIgTl4EkUNn70YbzrPnEDh7EMETNnAqjNU3 5iwELxRyxjUdSaIuF/5gSfc4DG/c8miUrYAaXyqMuJWuF7aNnVnSQJDZCjnf//Yy KQARAQABiQQ+BBgBCAAJBQJYEeJoAhsCAikJENWh1PJm3o3fwV0gBBkBCAAGBQJY EeJoAAoJEKJlgfIZyDFMyBwP/ih4/pKyfQOdgP03IXK0v9dhKOs+PcSAd4BC+ACV kDz+N4Pui7/6FJ7+hSJE7Tf2vcWYYbtTrVCz335VCf5zWC/Tz8aXs9MOBlMeZNOS 2Fsi8P1KOv2BD7qi+m6fkHJ59hDXp2SzvmYRNRgn3N1QpuJl6bjssLmG7X+8NrNA JZedzfXmvxDfnxaqKTwGotlJXVo5b/wB1ZXn7yr3zecuXKvcG1SJTGCSyK98jyip S/0qAOqzd6FPbNEl/4ehKPX5STdZytTzN8lcbtfTMUA6qLqe/5Tvt50n8yDD3bEh ripRSaC2BoVDADwxo7kDhTO6c1xCNMdG/9dHMelbzOPuxJhVMkNzL+dR5V6Q3Clt I2rjANqWq/3G7kA4oaItoYOYnh9J8a7P/bkMFbrGEYmaYu9PCqLY5NzqaCKlNyJP Fy8u0TdBhiyoBWWarTN6fZwTG6MotHPi9q0iWPfsb9kyoRJWIcvEJq+Vi0wE0+9/ kXgibqh76U5JekysGV/dBgXaPF4XAPCpBaEe9sbD2PVeUDZPuVeo3c8iGPK1NxmJ dt1ktfCcuV3MYCo1DGifuOCCvVaJms6IEFjLPAEQmTGhRSVzTWZ7J8HoDqulhlJh HxLT7KI9z85238zplUarSEZ42gNT5SQd35prGVlJDVBwRm2NmJurcfU/EcPi++eD 0hJhWrYP/3lW/OOkR5NZCK8HhKYM2kBcAsOC/6x5vV1VISslZY2LB3jKq+XhXlPO cEmQVMPliBx4yuFrPOKk1+87D9bEL5LJBQskgQwFe2Pg9QirIYflO+P+1LJK3U/g 3NnlkSrOTRV0M/AvhtU/8R3V2V423pm3sjQsaRdMMtWGfsFNJxvotBkwgEDwDu7h sZqzL0zFucm+iMAhGnqi+EZEPXwbX1Utp7S8edBCztfytQMjnJ6jv4UCz///rc3i 8IDlMo2d19CW/psPS4v7lns5g9oqCGpRbGRllrBV1M/o7bs7+1NyvPTJm9UAmt5U iApao4vt4YOG5w0vYd0t50pDS/j3TGjbakgxZpNUMpAgrhnelClKDsXbCVGCyhlJ ZOw9Q9t4vIAhFFSpxEDl1NREOUInoK3R4yo4Ep4sq6cbfZvoyAYZf1zpQHQX9OBN DKp1jwGLA3+0Jna2/1QUYFLjFiz9bdL+1nT9k/RStFBauRh529r+M1WlkwqNIL+L bRGm0rXbWu9eiLhq2ldnfIADOtccUll10RznrjumqgYYw2CI0YUudzpzIghAKZyo THYPADmBfvN2pZa/KU3c1OSKHOH2b91Xi97k3u0fECMHLgXctA3BkQ69fONSzx/c abgtcydAU0wAD3mG3mr1XI96uOMeVNK0wgYyO5VhzZNziSFhls0D =kwTD -----END PGP PUBLIC KEY BLOCK-----