Depending on your threat model, not very important. What are the chances that 1) someone will have hacked Mullvad’s server and installed a compromised version of the browser, and 2) you happen to download the compromised version before the hack is discovered and mitigated?
You’ll want to make sure that the key you’re validating is provided through another trusted channel, so that an attacker can’t provide a bad download and have you check it against their bad key too.
Depending on your threat model, not very important. What are the chances that 1) someone will have hacked Mullvad’s server and installed a compromised version of the browser, and 2) you happen to download the compromised version before the hack is discovered and mitigated?
Right. The risk is low, but nonzero.
You’ll want to make sure that the key you’re validating is provided through another trusted channel, so that an attacker can’t provide a bad download and have you check it against their bad key too.