Signature verification protects you against malicious actors. Generally its not critical, but if you're worried about the source you're getting software from, then I highly recommend that you verify the signature. Ideally, you're given an asc file with the distribution and assuming you have PGP installed (and have a key), it's pretty easy.

First you want to import the public key they are saying that they use to sign all of their distributions;

gpg --auto-key-locate nodefault,wkd --locate-keys [email protected]

Once it's in your keyring, you sign it with your own key;

gpg --sign-key [email protected]

This is you telling the keyring that you trust this exact signing key, so now when you verify anything using that signing key (no matter where you get it from) you'll get a little message saying "hey, we know who this is, this is probably safe!";

$ gpg --verify mullvad-browser-linux-x86_64-13.0.4.tar.xz.asc
gpg: assuming signed data in 'mullvad-browser-linux-x86_64-13.0.4.tar.xz'
gpg: Signature made Thu Nov 23 11:24:40 2023 CET
gpg:                using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <[email protected]>" [full]

In all reality, signing archives like this isn't really necessary anymore. In the early days of the internet when resources were scarce and web-servers didn't have 100% uptime, people mainly got software from FTP servers that weren't up all the time. So you have to search and hunt for software and sometimes get it from random places. This was a way for you to ensure that even though you didn't get it from an official source, that the software you were about to put on your machine wasn't messed with.

These days you're gonna get it directly from Mullvad--but even so, using signing keys protects you from MITM attacks, so that's always cool. lol.