How to verify an onion address with PGP
The single check that separates a real market URL from a fake. Ten minutes to learn, ten seconds per rotation after that.
Why bother
Because typing "nexus market" into a search engine is how people end up on phishing pages. A PGP-signed rotation moves the trust from the page that shows you an address to the private key that has signed every rotation this operator has ever made. Verify the key once. All future rotations verify automatically.
Step 1: get the operator public key
Find the market operator PGP block. It sits on the market's own /pgp page, in the operator's pinned Dread post, or on a directory old enough that its own claim to the key is verifiable. Copy the whole block, from the -----BEGIN PGP PUBLIC KEY BLOCK----- line to the -----END PGP PUBLIC KEY BLOCK----- line, into a file named something like operator.asc.
Step 2: import it
gpg --import operator.asc
Kleopatra users drag the file into the window and click Import. Whatever tool you use, once the key is in your keyring you never fetch it again for that market.
Step 3: save the signed rotation
Copy the whole signed announcement into a file called rotation.txt. The shape is:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The new primary onion for MarketName is <56 characters>.onion -----BEGIN PGP SIGNATURE----- ...signature bytes... -----END PGP SIGNATURE-----
Include the header line and the blank line after Hash: SHA512. Do not strip anything. A stray edit breaks the check.
Step 4: verify
gpg --verify rotation.txt
The line you want is:
gpg: Good signature from "<operator name>"
Ignore the warning about the key not being certified with a trusted signature. That means only that you have not personally signed the key. What matters is Good signature. If you see BAD signature or Can't check signature: No public key, the message was tampered with or the key you have is wrong. Do not use the URL.
Common mistakes
- Getting the public key from the same page that shows the rotation. If both are on a phishing site, both match. Fetch the key once from a source you already trust and keep it locally.
- Copying only the address and leaving the header and signature behind. The signature covers the whole envelope.
- Trusting a signature from a different fingerprint than the one you imported. Compare fingerprints letter by letter every time. Kleopatra shows them under the signer name, gpg prints them with
--verify.