It is important if you care. They sign releases with the same Tor Browser key. Instructions are found on this page: https://mullvad.net/en/help/verifying-mullvad-browser-signature

You need 2 files (both are on the download page):

• Browser file
• Signature file

The basic process is as follows:

1. Obtain signing key.
2. Verify browser using signature file.

Note: Ignore warning about the key not being signed with a trusted key (we skip an unnecessary step for a begineer walkthrough)

You can double check everything I said by looking at their instructions.

Signature verification protects you against malicious actors. Generally its not critical, but if you’re worried about the source you’re getting software from, then I highly recommend that you verify the signature. Ideally, you’re given an asc file with the distribution and assuming you have PGP installed (and have a key), it’s pretty easy.

First you want to import the public key they are saying that they use to sign all of their distributions;

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

Once it’s in your keyring, you sign it with your own key;

gpg --sign-key torbrowser@torproject.org

This is you telling the keyring that you trust this exact signing key, so now when you verify anything using that signing key (no matter where you get it from) you’ll get a little message saying “hey, we know who this is, this is probably safe!”;

$ gpg --verify mullvad-browser-linux-x86_64-13.0.4.tar.xz.asc
gpg: assuming signed data in 'mullvad-browser-linux-x86_64-13.0.4.tar.xz'
gpg: Signature made Thu Nov 23 11:24:40 2023 CET
gpg:                using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [full]

In all reality, signing archives like this isn’t really necessary anymore. In the early days of the internet when resources were scarce and web-servers didn’t have 100% uptime, people mainly got software from FTP servers that weren’t up all the time. So you have to search and hunt for software and sometimes get it from random places. This was a way for you to ensure that even though you didn’t get it from an official source, that the software you were about to put on your machine wasn’t messed with.

These days you’re gonna get it directly from Mullvad–but even so, using signing keys protects you from MITM attacks, so that’s always cool. lol.

The important is to do it the first time. Then just upgrade the app.

Depending on your threat model, not very important. What are the chances that 1) someone will have hacked Mullvad’s server and installed a compromised version of the browser, and 2) you happen to download the compromised version before the hack is discovered and mitigated? Also, the signature and the package appear to be on the same server, so what’s necessarily going to stop the hacker from updating the signature to match their hacked package? [Edit: It’s a GPG signature, not a simple hash signature, so I guess that’s so not trivial after all.]