Nexus Market Bureau est. 2026
Dossier

GnuPG basics for Nexus readers

The minimum GnuPG knowledge a reader needs to verify Nexus rotations.

By Editor · 16 July 2026 · 5 min

Verifying Nexus Market rotations requires GnuPG. This dossier covers the minimum GnuPG knowledge a reader needs to run the verification workflow reliably.

Installation

Linux. Almost every distribution ships GnuPG. Run gpg --version. If nothing responds, install via your package manager.

macOS. Install via Homebrew: brew install gnupg. GPG Suite is an alternative that includes a GUI.

Windows. Install Gpg4win from gpg4win.org. This includes Kleopatra, the GUI covered in the PGP verification report.

The commands you need

# Import a public key
gpg --import key.asc

# List keys on your keyring
gpg --list-keys
gpg --list-keys --with-fingerprint

# Verify a signed message
gpg --verify signed-message.txt

# Delete a key
gpg --delete-key KEY_ID

That is the minimum. You never need to sign anything, encrypt anything, or manage a keyring beyond these commands to verify Nexus rotations.

Keyring hygiene

The Bureau recommends a fresh keyring dedicated to Nexus verification, kept separate from any personal PGP keyring you may have. Use gpg --homedir ~/.gnupg-nexus in every command to isolate.

This prevents your Nexus verification from being affected by any other key drift on your personal keyring, and vice versa.

Fingerprint verification

After importing the operator key, run gpg --list-keys --with-fingerprint and compare the printed fingerprint to what you fetched from the operator Dread profile and from a mirror /pgp path. Store the fingerprint (paper, encrypted note, password manager) so you can verify future keyring state against it.

Common mistakes

Copying only part of a signed message. The signature covers every byte from the opening -----BEGIN PGP SIGNED MESSAGE----- to the closing -----END PGP SIGNATURE-----. Missing bytes fail verification.

Adding trailing whitespace or newlines. Some editors add invisible whitespace. Use a plain text editor and save the file as UTF-8 without BOM.

Importing the wrong key. If you accept an operator key from an unverified source and then verify a rotation with it, everything will look fine even if both are fake. Cross-check the key fingerprint against at least two independent sources.

Treating the trust warning as an error. WARNING: This key is not certified with a trusted signature is expected. Ignore it. Read the actual verification result on the line above.

What GnuPG does not do for you

It does not check whether the address inside a signed message is a good address to visit. It checks that the message came from the key holder and has not been altered. Everything downstream (is this address the right one, is this vendor a good vendor) is your responsibility.