>_ nexus-market-darknet.ink observation log
keys

Notes on the operator PGP key

The one PGP key that has signed every Nexus rotation since the market opened. Where to find it, why the fingerprint is the only anchor, and what to do if a verifier reports a mismatch.

Where to fetch the operator key

The operator pins the public key on their Dread profile and re-exports it from the market login page under the /pgp path. Fetch from both, compare byte for byte, keep whichever match. Do not fetch from a random forum thread, a chat message or a search result banner. The whole point of PGP verification is that you trust the first key you got and check every future rotation against it.

Why the fingerprint is the anchor

An onion address embeds a public key, so the address itself is unforgeable. Signed rotations attach that address to the operator identity, so a valid signature under the same fingerprint proves the message really came from the operator. If the fingerprint changes, the anchor is gone, and every mirror announcement has to be reproven from scratch. The operator has not rotated the signing key on the current run of the market.

If a verify reports a mismatch

Do not use the address inside. Do not import the mismatched key. Do not silence the warning. A mismatched signature is the exact failure mode PGP is built to catch. Report the mismatched post to the pinned Dread thread and wait for the operator statement before doing anything with the address.

Key rotation, if it ever happens

If the operator does rotate the signing key, the announcement will be made under the outgoing key at least thirty days in advance and the new key will be published with cross-signatures from the outgoing one. Anything shorter than that or without cross-signatures is a phishing attempt using a made-up key.

boring works

The reason this same routine appears on every darknet directory that takes verification seriously is that boring routines catch phishing on the first check. Convenience is the attack vector. Habits are the fix.