I imported Mullvad's certificate using support@mullvad.net as the contact at the bottom of the page https://www.mullvad.net/download/ says that is the GPG key. I get a Key-ID: 9858D491 I then download version 63 for windows and the sig file under that download link. Using Kleopatra I click decrypt/verify Files and put mullvad-63.exe.asc into the Input file as a detached signature and mullvad-63.exe as the signed data. I get the following " Signed on 2017-05-29 07:53 with unknown certificate 0xA26581F219C8314C. The signature is invalid: No public certificate to verify the signature" There is no mention of Mullvad's key in that result. I am worried as I have been using Mullvad. Please help me understand what I am doing wrong or is Mullvad 63 indeed corrupt or worse? The reason I am worried is Emsisoft said Mullvad is acting like a LAN backdoor edit: I have also used an elevated command prompt and attached the results that said it can't check due to no public key
I don't know Kleopatra. It works with GnuPG. But you also need to download "mullvad-code-signing.asc", and import it. Code: user@host:~/Downloads$ gpg --import mullvad-code-signing.asc gpg: key 66DE8DDF: public key "Mullvad (code signing) <admin@mullvad.net>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) user@host:~/Downloads$ gpg --verify mullvad-63.exe.asc mullvad-63.exe gpg: Signature made Mon 29 May 2017 12:53:59 AM SST using RSA key ID 19C8314C gpg: Good signature from "Mullvad (code signing) <admin@mullvad.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A119 8702 FC3E 0A09 A9AE 5B75 D5A1 D4F2 66DE 8DDF Subkey fingerprint: CA83 A461 53BC 58D6 9518 ED49 A265 81F2 19C8 314C If you set trust for the Mullvad key, the warning will go away.