Signature verification protects you against malicious actors. Generally its not critical, but if you’re worried about the source you’re getting software from, then I highly recommend that you verify the signature. Ideally, you’re given an asc file with the distribution and assuming you have PGP installed (and have a key), it’s pretty easy.
First you want to import the public key they are saying that they use to sign all of their distributions;
Once it’s in your keyring, you sign it with your own key;
gpg --sign-key torbrowser@torproject.org
This is you telling the keyring that you trust this exact signing key, so now when you verify anything using that signing key (no matter where you get it from) you’ll get a little message saying “hey, we know who this is, this is probably safe!”;
$ gpg --verify mullvad-browser-linux-x86_64-13.0.4.tar.xz.asc
gpg: assuming signed data in'mullvad-browser-linux-x86_64-13.0.4.tar.xz'
gpg: Signature made Thu Nov 2311:24:402023 CET
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [full]
In all reality, signing archives like this isn’t really necessary anymore. In the early days of the internet when resources were scarce and web-servers didn’t have 100% uptime, people mainly got software from FTP servers that weren’t up all the time. So you have to search and hunt for software and sometimes get it from random places. This was a way for you to ensure that even though you didn’t get it from an official source, that the software you were about to put on your machine wasn’t messed with.
These days you’re gonna get it directly from Mullvad–but even so, using signing keys protects you from MITM attacks, so that’s always cool. lol.
Thank you for taking the time to write all that! I did do what you described, but the RSA key I got at the end was different from what Mullvad’s webpage says, which is the same as what you put, I think: 6131 . . . etc.
Signature verification protects you against malicious actors. Generally its not critical, but if you’re worried about the source you’re getting software from, then I highly recommend that you verify the signature. Ideally, you’re given an
ascfile with the distribution and assuming you have PGP installed (and have a key), it’s pretty easy.First you want to import the public key they are saying that they use to sign all of their distributions;
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.orgOnce it’s in your keyring, you sign it with your own key;
gpg --sign-key torbrowser@torproject.orgThis is you telling the keyring that you trust this exact signing key, so now when you verify anything using that signing key (no matter where you get it from) you’ll get a little message saying “hey, we know who this is, this is probably safe!”;
$ gpg --verify mullvad-browser-linux-x86_64-13.0.4.tar.xz.asc gpg: assuming signed data in 'mullvad-browser-linux-x86_64-13.0.4.tar.xz' gpg: Signature made Thu Nov 23 11:24:40 2023 CET gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [full]In all reality, signing archives like this isn’t really necessary anymore. In the early days of the internet when resources were scarce and web-servers didn’t have 100% uptime, people mainly got software from FTP servers that weren’t up all the time. So you have to search and hunt for software and sometimes get it from random places. This was a way for you to ensure that even though you didn’t get it from an official source, that the software you were about to put on your machine wasn’t messed with.
These days you’re gonna get it directly from Mullvad–but even so, using signing keys protects you from MITM attacks, so that’s always cool. lol.
Thank you for taking the time to write all that! I did do what you described, but the RSA key I got at the end was different from what Mullvad’s webpage says, which is the same as what you put, I think: 6131 . . . etc.
Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [full]Did you see this notification at all when you verified the key signature?
Yes, I got:
Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [full]Does that mean it’s ok? Maybe Mullvad just needs to update their website?