Gå til hovedinnhold

Verifying Mullvad Browser signature

Mullvad Browser Windows Linux Installation macOS Desktop PGP 

Sist oppdatert:

This guide explains how you can verify that you have downloaded the authentic Mullvad Browser install file before you install it.

What this guide covers

Install GnuPG

First you have to install gpg (GnuPG) version 2.1 or newer. Avoid the legacy 1.4 version of gpg. It will allow you to use the gpg command in the Terminal.

Linux

Many Linux distributions come with gpg already installed. If yours doesn't then you can install it with the default package manager using the package name gnupg2.

macOS

You can install Homebrew and then install gpg by running brew install gnupg. It will allow you to use the gpg command in the Terminal. Another option is to install GPG Suite.

Windows

Download and install Gpg4win. It will allow you to use the gpg command in the Command Prompt and it also comes with a GUI called Kleopatra. This guide uses the Command Prompt.

Download the signing key

The Mullvad app is signed by the Tor Browser Developers signing key. The fingerprint of the key is:

EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

This can be downloaded and imported using the following command:

gpg --auto-key-locate nodefault,wkd --locate-keys [email protected]

If the above command does not work then use Firefox or the Mullvad Browser to download the key and then import it using these commands:

cd Downloads

gpg --import kounek7zrdx745qydx6p59t9mqjpuhdf

You can verify that the key is installed and show its fingerprint using this command:

gpg --fingerprint [email protected]

If you want to double-check that you have the correct key then you can visit the Tor Browser website and see that they show the same fingerprint (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290).

Sign the key

Once you have imported the signing key you can sign it with your own key. This step can be skipped, but then a warning will be printed during each file verification saying that the key is not certified with a trusted signature.

If you do not have a pgp key yet then you first have to create one using this command:

gpg --gen-key

Enter your "Real name" (use a fake name if you want to be anonymous) and an "Email address" and enter "O". Then enter a password and click on OK.

To sign the Tor Browser Developers signing key use the following command:

gpg --sign-key [email protected]

You will see a long message with some revoked keys and in the end it shows the following:

pub  rsa4096/4E2C6E8793298290
     created: 2014-12-15  expires: 2025-07-21  usage: C   
     trust: unknown       validity: unknown
 Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

     Tor Browser Developers (signing key) <[email protected]>

This key is due to expire on 2025-07-21.
Are you sure that you want to sign this key with your
key "xxx <[email protected]>" (xxx)

Enter "y" to sign it and then enter your pgp key password.

Verify the Mullvad Browser

To verify the Mullvad Browser install file you need the signature file for the same version of the Mullvad Browser that you downloaded. The signature file is a file with the exact same filename as the browser, but with .asc appended at the end. To download the signature file for the Mullvad Browser, click on the GPG signature button on the Downloads page for your platform.

Make sure to place the signature file and the browser install file in the same folder.

Navigate into the folder where the files are with the cd command and then run the following command:

gpg --verify mullvad-browser-*.asc

If you have multiple .asc files in the same folder then use the full filename or the verification may fail. For example:

gpg --verify mullvad-browser-linux-x86_64-13.0.4.tar.xz.asc

You should get the following output (the example below is using the Linux file).

gpg: assuming signed data in 'mullvad-browser-linux-x86_64-13.0.4.tar.xz'
gpg: Signature made Thu Nov 23 11:24:40 2023 CET
gpg:                using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <[email protected]>" [full]

If it says "checking the trustdb" then run the command again to show the output without that.