Why bother
Because searching for a working Nexus URL online is how buyers end up on phishing clones. A signed announcement moves the trust from "the page that gave me this URL" to "the private key that has signed every URL since 2023". You only need to check the key once.
1. Get the Nexus public key
Find the operator's PGP block on the market's own login page, on the Dread announcement pinned by the operator, or from a copy already on your machine from a previous session. Copy the whole block from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- into a text file named nexus.asc.
2. Import it
gpg --import nexus.asc
Kleopatra users open the file and click Import. Whatever tool you use, once the key sits in your keyring you never need to fetch it again for Nexus.
3. Save the signed announcement
Copy the signed rotation message from the source you trust. It should look like this shape:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The current primary onion for Nexus Market is nexusaskv3n5lse2zs3gg2lvxdisi4xroq45t3gtjsien3lzun5tb7qd.onion Rotation timestamp: 2026-06-30 -----BEGIN PGP SIGNATURE----- ...signature bytes... -----END PGP SIGNATURE-----
Save the whole block, including the header line and the blank line after Hash: SHA512, into a file named rotation.txt. Do not strip anything. The signature covers every byte and a stray space breaks the check.
4. Verify
gpg --verify rotation.txt
The line you want to see is:
gpg: Good signature from "Nexus Market"
The follow-up line about the key not being certified is normal. It only means you have not personally signed the key. What matters is Good signature. If you see BAD signature or Can't check signature: No public key, do not use the URL in the announcement. The message was tampered with or the key is wrong.
Kleopatra shortcut
Import the public key by dragging nexus.asc into Kleopatra. Save the signed announcement as rotation.txt. Right-click the file, pick More GpgEX options, choose Verify. A window pops up telling you the signature is either valid or the message has been modified. Same idea, different button.
Common mistakes
- Copying only the URL without the header and footer. Verification needs the full envelope.
- Fetching the public key from the same page that lists the new URL. If both live on a phishing site, both match, and the check passes with a fake key. Get the key from a source you trust once, keep it locally.
- Trusting a signature from a different key fingerprint than the one you saved. Every check must match the same fingerprint. Compare it letter by letter.