Because it’s kind of hard! Even if I follow their instructions. Maybe I’m just dumb . . . 🙁
You should always verify signature and hash for any software you are installing but also keep in mind that if someone was really trying to send you a malicious download then there’s good chance that they will also deliver you a malicious signing key and hash. And there is really no good solution. If it is critical you can try to get signings keys from different places and with different IPs and maybe even different devices but pick and choose how long do you want to go down this rabbit hole.
The important is to do it the first time. Then just upgrade the app.
That’s a bad advice you don’t know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
I don’t think it’s bad advice for most people. Maybe it’s just bad advice for your treat model
Yeah I guess so. Due to SSL if you want to perform successful MITM you’ll need to have control of DNS and must have rootCA which you control installed on there system/browser. And if it is a supply chain attack where source it self corrupted then there is no hope.
Depending on your threat model, not very important. What are the chances that 1) someone will have hacked Mullvad’s server and installed a compromised version of the browser, and 2) you happen to download the compromised version before the hack is discovered and mitigated?
Also, the signature and the package appear to be on the same server, so what’s necessarily going to stop the hacker from updating the signature to match their hacked package?[Edit: It’s a GPG signature, not a simple hash signature, so I guess that’s so not trivial after all.]That’s kind of what I figured, although after following Mullvad Browser’s instructions for verification, I did get two different RSA keys, if that means anything . . .
From Mullvad support:
What’s your OS and how are you installing it? It’d be normal for a package manager to check this for you.
