Verifying software using Sparrow wallet (example: Mullvad VPN)

[apogio]

Disclaimer: I am using Windows for this tutorial, but it's identical on Linux and macOS.

Every beginner should know about the importance of verifying the origination of the software that we download.

Unlike the real world, where you can't be sure if something that you buy is genuine and you have to use experts to verify it, in the digital world we can verify ourselves everything that we download.

This is a super-quick guide, about verifying the software you download using Sparrow wallet.

Many beginners think about which wallet to use and many have downloaded Sparrow. Kudos! Sparrow is a great wallet. But, let's focus on a specific feature that it supports, which is (as you guessed) the feature to verify downloaded software.

I will download and verify Mullvad VPN. The process should work symmetrically for the great majority of software.

General info

This information is intended for the complete beginners and I will try to make it as easy as possible.

In cryptography, there are key-pairs (private & public).
The private key is used to sign a file to let the people who download it know that it's genuinely produced by the real creators. The private key, since it has the ability to sign and, therefore, make sensitive operations, needs to stay private.
On the other hand, the public key is used by the consumers, to verify that the file is indeed produced by the real creators. Since it's used by the consumers, it can be freely transferred between the producers and the consumers.

The signing process takes place using specific software which we don't need to cover in this tutorial, but the point is, that it generates a signature.

So, in order to verify that a software is indeed produced by the real developers, we need 3 things:
(a) the software itself, which in windows is normally a .exe file.
(b) the developer's public key, because it's essentially the proof of their identity.
(c) the signature, with which the developers prove that they have signed the original file.

It's worth noting that it's impossible to generate the same signature without having the private key, so if we have the real signature and public key, we can be sure that the file is indeed signed by the real people.

Specific process

Everything that we download here, make sure to save it in the Downloads folder. It's not mandatory, but it will help!

When you visit the Mullvad Download page, you will be presented with the following page:



Notice the 3 buttons I have included in the red circle. These buttons will provide us with the 3 things that we need (software, public key, signature).

Just click to download the software (the green button) and store it in the Downloads directory. The file should be named MullvadVPN-2025.5.exe or something similar.

Then, click on the GPG signature (the white button) and store it in the Downloads directory. The file should be named MullvadVPN-2025.5.exe.asc or something similar.

So, now we have the 2 out of the 3 needed things.

Let's click the "What is this" link, which will guide us here:



Click on the link, and it will start downloading the final piece, which is the public key. Store it in the Downloads directory. The file should be named mullvad-code-signing.asc or something similar.

Now, you have collected all the pieces of the puzzle. Congrats!

Open up Sparrow wallet and navigate to Tools -> Verify download.

You will be presented with this screen:



Just import the files, browsing your Downloads folder. You should see this:



Congratulations! Just go ahead and install the software!

[Findingnemo]

Solid and beginner-friendly walkthrough because even I can understand it.

I usually stick with the official sources for validation or authenticity instead of doing it on my own, but it's good to learn about the process, which I might try for learning and understanding purposes after this thread. The authenticity of software is really important in the digital world not just limited to the cryptos, so thanks for the guide.

[apogio]

Solid and beginner-friendly walkthrough because even I can understand it.

I usually stick with the official sources for validation or authenticity instead of doing it on my own, but it's good to learn about the process, which I might try for learning and understanding purposes after this thread. The authenticity of software is really important in the digital world not just limited to the cryptos, so thanks for the guide.

Thanks.
The idea of validating the software is super important, because it eliminates scams, unless of course the original software is a scam.
The point behind this tutorial, is that every beginner will (hopefully) download a software to manage their wallets. The fact that Sparrow (which is a great wallet software) also supports this feature is fantastic. So, it becomes less intimidating for the average beginner bitcoiner.

[Findingnemo]

^Exactly, don't trust, verify by ourselves, it's not just verification, but we can practice this as a habit that improves our security overall when it comes to the usage of apps. To be honest, I have Sparrow wallet installed in my Windows, but I have never seen a feature that can be useful for the verification of the app signatures.

I might not use it straight away, but knowing how to is the key. I hope people who read this will use the tutorial and educate themselves as I did.

[Trêvoid]

Hi good work, this tutorial is an excellent practical introduction. Always download on trusted sources and verify key fingerprints to avoid man-in-the-middle attacks.

[rdluffy]

Nice topic 
After some time in crypto I became a bit paranoid and changed a lot my behavior on the PC
I used to use a lot of programs, I was always testing something different, I downloaded a lot of stuff...
And that changed a lot after I started worrying more about security

I've never used Sparrow Wallet, but I'm going to try it out

To download something I've never used, or when I need to download a new wallet or a new version, I always check the forum to see if there are any warnings, search X or Discord, and Google itself to see if it's safe
I'll add this test hehehe, and I'll try Sparrow 

[nc50lc]

-snip- The fact that Sparrow (which is a great wallet software) also supports this feature is fantastic. So, it becomes less intimidating for the average beginner bitcoiner.

I have Sparrow and I never noticed that feature until this thread.
They have an automated Tor service within the app, and then an integrated GPG tool, they're really making it easy for newbies to do/have the good optional features like those.

A bit counterproductive though when it comes with verifying a fresh download of Sparrow with Sparrow.
I just want to leave a note for newbies: Do not verify your Sparrow download with that same download (when installed/launched).
It works when updating scenario where the previous version is already verified where the user can be ensured that the verification to be done wont forged by a possibly fake Sparrow software.

[apogio]

A bit counterproductive though when it comes with verifying a fresh download of Sparrow with Sparrow.

I really never thought about this scenario. Thanks for mentioning that. But it creates a deadlock for my tutorial, because I am saying that Sparrow can be used to verify other software easily, but what about verifying Sparrow itself?!

[satscraper]

but what about verifying Sparrow itself?!

In this case you should not update Sparrow immediately after completing your download. Instead, use your current version of Sparrow to verify the signature of the newly downloaded file. Your existing Sparrow installation should already be verified ^{either using standard OpenPGP command-line or via Kleopatra, which serves as GUI for those commands}. In fact, Sparrow includes built-in signature verification GUI to make the process easier for users who aren't comfortable with the command line.^{Personally, I always prefer using the command line to verify signatures for any download.}

[dumpsterhawk]

Good guide. It is important to verify critical software such as VPN and wallets, but it is not for all users. The Bitcoin side of cryptocurrency is more into security verification than the altcoin projects.

but what about verifying Sparrow itself?!

In this case you should not update Sparrow immediately after completing your download. Instead, use your current version of Sparrow to verify the signature of the newly downloaded file. Your existing Sparrow installation should already be verified ^{either using standard OpenPGP command-line or via Kleopatra, which serves as GUI for those commands}. In fact, Sparrow includes built-in signature verification GUI to make the process easier for users who aren't comfortable with the command line.^{Personally, I always prefer using the command line to verify signatures for any download.}

It is great that they include this, a lot of people are not comfortable with the command line at all. Actually, many computer users will struggle with doing this using the GUI as well. The knowledge is lacking for these things.

[apogio]

In this case you should not update Sparrow immediately after completing your download. Instead, use your current version of Sparrow to verify the signature of the newly downloaded file. Your existing Sparrow installation should already be verified ^{either using standard OpenPGP command-line or via Kleopatra, which serves as GUI for those commands}. In fact, Sparrow includes built-in signature verification GUI to make the process easier for users who aren't comfortable with the command line.^{Personally, I always prefer using the command line to verify signatures for any download.}

My question is rhetorical, because what I wanted to do was to help people not to mess with any other software apart from Sparrow, but I appreciate the response, nevertheless.

Good guide. It is important to verify critical software such as VPN and wallets, but it is not for all users. The Bitcoin side of cryptocurrency is more into security verification than the altcoin projects.

GPG existed long before bitcoin and in my opinion, the power of both of them is astonishing. I could name these 2 as the biggest inventions of cryptography!

[satscraper]

GPG existed long before bitcoin and in my opinion, the power of both of them is astonishing. I could name these 2 as the biggest inventions of cryptography!

You know, using asymmetric encryption with GPG ^{like signing or encrypting} is good for files of relatively small size. When the file is big enough the encryption/decryption process becomes painfully slow and in this case it's better to use symmetric key which can be exchanged publicly with the use of Diffie-Hellman algo. ^{BTW, the variants of the latter is used by browsers to establish https connections to sites.} Thus, I would add DH to those 2 also.

[dkbit98]

This is very useful feature and I didn't know Sparrow wallet implemented it, this is another plus for them.
On the other hand, I doubt most of the people are checking and verifying any software like this before installing, especially on wind0ws spyware OS.
If yo know any other Bitcoin wallet with option to verify software please post it below.

[Silentcursor]

I like the new Sparrow wallet feature. This addition to their ecosystem can be especially handy for developers and anyone who frequently downloads software from the internet. I was hoping the new feature will be integrated in a newest version instead of the earlier version 1.8.3.