Verify a Nexus onion with PGP
Two habits check whether a Nexus Market onion is real. The captcha match is fast and works every session. The PGP verification is the anchor for both, done once per rotation.
Why the check matters
A phishing clone can copy every pixel of the Nexus login page. The only thing it cannot copy is the operator PGP signature that comes with every published rotation. If a signature validates against the operator public key you already have on your keyring, the address inside came from the operator. If it does not, the message is fake and the address inside is worthless. Nothing else on the clearnet or on Tor is a stronger anchor than that.
The four commands
Import the operator public key once. Save the signed rotation to a text file. Run gpg --verify on the file. Compare the onion in the message to the current mirror set on this site.
1. gpg --import nexus.asc
2. save the envelope to rotation.txt
3. gpg --verify rotation.txt
4. compare onion to the current set on /
Success looks like Good signature from "Nexus <operator@...>". A trust-level warning is normal. It only means you have not personally signed the operator key, which is expected. What matters is Good signature. If you see BAD signature or Can\'t check signature, do not use the address in the message.
Kleopatra path for Windows
Kleopatra ships with Gpg4win on Windows and gives you a GUI for the same checks. Import the operator key file the same way (File → Import). Save the signed rotation as rotation.txt. Right-click the file in the file manager, pick More GpgEX options → Verify. A window pops up saying either the signature is valid or the file has been modified. Same principle as gpg on the command line, different button.
Common errors and what they mean
- BAD signature, the file has been altered after signing. Do not trust the address inside. Report to the pinned Dread thread.
- Can\'t check signature: No public key, the operator key is not on your keyring yet. Go back to step one and import it.
- Signature made by different key ID, the message is signed by a key other than the operator. Do not import that key. Do not use the address inside.
- Warning: not certified with a trusted signature, normal. It only means you have not personally signed the key.
Once per key, then never again
You import the operator public key one time. Every future rotation validates against the same fingerprint. No forum handle, no chat message, no directory can push a fake address on you once the operator key is on your keyring. The whole point of PGP is that trust flows from a single anchor, checked once.
If you get the key from the same page as the new address, and both live on a phishing site, both match and the check passes with a fake key. Import once, from a source you already trust (the pinned Dread profile), then reuse forever.