Nexusnexuslinksnexus urls hub

Verify a Nexus URL with PGP

Nexus signs every mirror rotation with the same key that signed the last one. Import that public key once and you can prove any future URL came from the market.

Why bother

Because searching for a working Nexus URL online is how buyers end up on phishing clones. A signed announcement moves the trust from "the page that gave me this URL" to "the private key that has signed every URL since 2023". You only need to check the key once.

1. Get the Nexus public key

Find the operator's PGP block on the market's own login page, on the Dread announcement pinned by the operator, or from a copy already on your machine from a previous session. Copy the whole block from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- into a text file named nexus.asc.

2. Import it

gpg --import nexus.asc

Kleopatra users open the file and click Import. Whatever tool you use, once the key sits in your keyring you never need to fetch it again for Nexus.

3. Save the signed announcement

Copy the signed rotation message from the source you trust. It should look like this shape:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The current primary onion for Nexus Market is
nexusaskv3n5lse2zs3gg2lvxdisi4xroq45t3gtjsien3lzun5tb7qd.onion
Rotation timestamp: 2026-06-30
-----BEGIN PGP SIGNATURE-----
...signature bytes...
-----END PGP SIGNATURE-----

Save the whole block, including the header line and the blank line after Hash: SHA512, into a file named rotation.txt. Do not strip anything. The signature covers every byte and a stray space breaks the check.

4. Verify

gpg --verify rotation.txt

The line you want to see is:

gpg: Good signature from "Nexus Market"

The follow-up line about the key not being certified is normal. It only means you have not personally signed the key. What matters is Good signature. If you see BAD signature or Can't check signature: No public key, do not use the URL in the announcement. The message was tampered with or the key is wrong.

Kleopatra shortcut

Import the public key by dragging nexus.asc into Kleopatra. Save the signed announcement as rotation.txt. Right-click the file, pick More GpgEX options, choose Verify. A window pops up telling you the signature is either valid or the message has been modified. Same idea, different button.

Common mistakes

Related pages