Verify a Nexus onion with PGP
Two things to check before you type a Nexus password. First is fast and works every session. Second is the anchor, done once per rotation.
When you land on the Nexus login, there is a captcha image between you and the password field. Somewhere inside that image, the operator paints the current onion. Read those letters. Compare to your URL bar. If both match character for character, you are on a mirror the operator wanted you to be on. If they do not, close the tab.
This works because a phishing clone cannot easily regenerate a fresh captcha with the fake onion painted in real time. Most clones bake one static image and never touch it. The address inside their captcha stays the real one even while the URL bar shows the fake one, which is exactly what the check catches.
Every time the primary onion moves, the operator publishes a signed message with the new address. You verify that signature against the operator public key. If it validates, the address is trustworthy. If it does not, the message is fake and the address inside is worthless.
import once
gpg --import nexus.asc
Save the operator public key to nexus.asc. Import once. After that the key stays in your keyring and every future rotation verifies against it.
save the signed rotation
Copy the whole envelope from -----BEGIN PGP SIGNED MESSAGE----- to -----END PGP SIGNATURE----- into rotation.txt. Do not strip the blank line after Hash: SHA512. Signature covers every byte and a stray character breaks the check.
run the verify
gpg --verify rotation.txt
You want to see a line that reads Good signature. The line right after may warn that the key is not certified with a trusted signature. That warning is normal. It only means you have not personally signed the operator key. What matters is Good signature. If it says BAD signature or Can\'t check signature, do not use the address inside.
match the address
Compare the onion in the message to the address on the atlas page. Match wins, mismatch means the message was for an address other than the one you were about to open. Neither is automatically wrong, but if the atlas has not been updated to match, the log page should say why.
You import the operator key one time. After that, every future rotation gets verified against the key already in your ring. No forum, no directory and no chat handle can push a fake address on you once you have the key on file.