Mullvad VPN / veryifying signatures?

Hello I am a noob to linux and to manjaro, I was converted from windows so im struggling…
I have already read the other relevant topics but cannot understand how to fix the problem…

As reference:


I am trying to install Mullvad VPN via the “add/remove software” program.
I have AUR arch repository enabled and see there are several versions of the VPN…

Due to the higher number of votes, I chose this package:

AUR (en) - mullvad-vpn
…BUT when i attempt to install it i see a error message in regards to the “PGP signatures”

==> Verifying source file signatures with gpg…
mullvadvpn-app git repo … FAILED (unknown public key 78CEAA8CB72E4467)
mullvadvpn-app-binaries git repo … FAILED (unknown public key 78CEAA8CB72E4467)
==> ERROR: One or more PGP signatures could not be verified!
Failed to build mullvad-vpn

I did try to follow the instructions on the arch package + mullvad website to verify the signatures,

Verifying signatures - Guides | Mullvad VPN
However I have never done this before & I am not sure what I am doing…

I already “trusted” as #5 ultimate via command:
gpg2 --edit-key A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF
BUT i do not understand how to “verify”?

I downloaded the “code signing key” from mullvad…
BUT i am not downloading from the mullvad website but rather the AUR repository
So i dont understand how/when/where to use this code?

Also I am confused because I am in between the terminal & the add/remove software windows
Do these two programs communicate? Do i have to do the install in one or the other?
If i start in terminal would I have to manually install everything there?

On the mullvad website on verifying signatures they say to put in terminal:
gpg2 --verify MullvadVPN-*.asc
BUT what code goes here?
EA0A77BF9E115615FC3BD8BC7653B940E494FE87?
I got this from the pkgbuild file of the program

HELP!?
THANKS in advance!

what is the output of the command:

gpg --list-keys

pub rsa4096 2016-10-27 [SC]
A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF
uid [ultimate] Mullvad (code signing) admin@mullvad.net
sub rsa4096 2016-10-27 [E]
sub rsa4096 2016-10-27 [S]

Looks like you did add and trust the signing key. Now try and install the mullvad-vpn-bin package that you can find in the AUR

You should ALWAYS read the pinned message among other messages for the AUR packages:

PINNED MESSAGE

This package will verify the signature of the git tag / commit. Developer keys are available here and instructions are here. See the PKGBUILD to determine which developer key you need.

This is important:

See the PKGBUILD to determine which developer key you need.

This is the PKGBUILD that you can find on the top right of that AUR page.

In the PKGBUILD, you can see:

validpgpkeys=('EA0A77BF9E115615FC3BD8BC7653B940E494FE87')
              # Linus Färnstrand (code signing key) <linus at mullvad dot net>

So you want to go to find Linus’ dev key here, which is located at the bottom of the page.

The link to Linus’ key is https://mullvad.net/media/signing-keys/linus-code-signing.asc

You can download and import this key via:

wget https://mullvad.net/media/signing-keys/linus-code-signing.asc
gpg2 --import linus-code-signing.asc

wget downloads the file to your home folder. You can manually download the file from the website yourself then run gpg2 to import, I just use the terminal since I was already there.


After this, you should be able to install mullvad-vpn without any issues using pamac or an AUR helper.

I just did it yesterday on my new laptop :slight_smile:

2 Likes

Ok got the key imported and downloaded…
Now what?

gpg2 --verify MullvadVPN-*.asc

I replace the “MullvadVPN-*.” with Linus’ code?

You just install the package via pamac or an AUR helper.

pamac build mullvad-vpn

You could just install mullvad-vpn-bin cause you already signed the correct key for that package or do as @realmain is suggesting fot the mullvad-vpn package.

Looks like everything installed correctly after realmain’s instructions on Linus dev keys.
Thanks to everyone for your quick and helpful responses!
:grin:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.