The rotation that never happened, on operator key stability
Nexus has not rotated its signing key in two years. This case study explains why that is the useful data point.
The most interesting rotation in the Nexus story is the one that has not happened. The operator PGP signing key attached to the launch announcement in January 2024 is still the key signing every rotation post today. In two years and change of continuous operation, the signing key has not been rotated once.
This is the useful data point. Here is why.
Why key stability matters
The whole PGP verification model rests on a single trust anchor: the operator public key you imported the first time. Every future verification is a check against that same fingerprint. If the key changes, you have to re-import, re-verify, and re-anchor. Every key rotation is a small trust-collapse-and-rebuild for every reader.
An operator who rotates the signing key often is signalling either compromise (had to rotate because the private key leaked) or immaturity (rotating for the sake of it, which is a bad habit on a system where trust flows from stability). An operator who has never rotated the signing key across two years is signalling that the private key remains under the operator's exclusive control, and that the operational security around it is at least good enough that a rotation has never been needed.
What the Bureau checked
Every signed rotation post the operator has published since launch was verified by editors against the same operator public key. Every verification returned Good signature. No editor has ever needed to warn readers about a bad-signature post from the Nexus operator. That is roughly ninety signed posts over two years, all under the same key.
How this compares to other markets
Other Tor markets in the same era have rotated their signing keys once or more, in some cases without a clear signed handoff from the outgoing key. When that happens, readers have no way to distinguish a legitimate key rotation from a compromise. Some markets have rotated silently, which is worse. Some have rotated with a proper cross-signed announcement, which is the correct pattern but still forces every reader to redo the trust anchor.
Nexus has done none of that. The key has held.
What would a rotation look like, if it ever happened
The operator would publish a signed announcement under the outgoing key. Attached to the announcement would be the new public key, plus a signature over the new key made with the outgoing key. Readers would verify the announcement against the outgoing key (the one on their keyring), extract the new public key, verify its cross-signature, import the new key, and update their anchor. The whole workflow takes a few minutes if the reader has run PGP verification before.
Anything shorter than that pattern (a new key that just shows up in a post without a cross-signature, a chat message claiming the key has rotated, a fresh mirror suddenly publishing a different /pgp key) is a phishing attempt.
The scenario where key stability breaks
If the operator's private key is ever compromised (through server seizure, insider theft, or a supply-chain attack on the operator's own equipment) an attacker can sign anything under that key, including a fake mirror rotation, and it will verify. The compromise is not visible to readers because the signatures still validate.
This is the one attack vector the pure PGP model does not defend against. Defence in depth here means the operator uses hardware-backed keys, keeps the signing key on an air-gapped machine, and rotates preventively before compromise. Whether Nexus does any of this is not publicly known, and inference from the two-year stability is that either it works or the operator has been lucky.
Reader takeaway
Trust the current signing key because it has held for two years and every rotation posted under it has verified. Do not trust it more than that. If a rotation post ever fails to verify, the Bureau will publish an advisory under the security section within hours. Read that section occasionally.