Unable to verify Mullvad client 63 with Kleopatra

Discussion in 'privacy technology' started by Holysmoke, May 30, 2017.

  1. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    139
    I imported Mullvad's certificate using support@mullvad.net as the contact at the bottom of the page https://www.mullvad.net/download/ says that is the GPG key.

    I get a Key-ID: 9858D491

    I then download version 63 for windows and the sig file under that download link.

    Using Kleopatra I click decrypt/verify Files and put mullvad-63.exe.asc into the Input file as a detached signature and mullvad-63.exe as the signed data.

    I get the following "
    Signed on 2017-05-29 07:53 with unknown certificate 0xA26581F219C8314C.
    The signature is invalid: No public certificate to verify the signature"

    There is no mention of Mullvad's key in that result. I am worried as I have been using Mullvad.

    Please help me understand what I am doing wrong or is Mullvad 63 indeed corrupt or worse?

    The reason I am worried is Emsisoft said Mullvad is acting like a LAN backdoor

    edit: I have also used an elevated command prompt and attached the results that said it can't check due to no public key
     

    Attached Files:

    Last edited: May 30, 2017
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I don't know Kleopatra. It works with GnuPG. But you also need to download "mullvad-code-signing.asc", and import it.
    Code:
    user@host:~/Downloads$ gpg --import mullvad-code-signing.asc
    gpg: key 66DE8DDF: public key "Mullvad (code signing) <admin@mullvad.net>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    user@host:~/Downloads$ gpg --verify mullvad-63.exe.asc mullvad-63.exe
    gpg: Signature made Mon 29 May 2017 12:53:59 AM SST using RSA key ID 19C8314C
    gpg: Good signature from "Mullvad (code signing) <admin@mullvad.net>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: A119 8702 FC3E 0A09 A9AE  5B75 D5A1 D4F2 66DE 8DDF
         Subkey fingerprint: CA83 A461 53BC 58D6 9518  ED49 A265 81F2 19C8 314C
    
    If you set trust for the Mullvad key, the warning will go away.
     
  3. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    139
    as always, you are most helpful. Many thanks!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.