Nexus Market Bureau est. 2026
Dossier

The Nexus operator PGP key, technical dossier

Where the key lives, what it does, why it matters, how the reader anchors trust to it.

By Editor · 16 July 2026 · 5 min

The Nexus operator PGP key is the single trust anchor of the entire storefront ecosystem. Every mirror rotation, every signed announcement, every operator statement rides on this key. If the key is genuine and remains under the operator's control, everything signed by it is real. If the key is not genuine or is compromised, everything falls.

Where the key is published

Two primary sources. The pinned Dread profile of the operator carries the public key in the profile description or in a pinned post. Every current Nexus mirror serves the same public key from the /pgp path (accessed after login). Both sources are considered authoritative. Neither alone is sufficient, the reader should fetch from both and cross-check the fingerprint.

What the key is used for

Every signed rotation announcement. Every operator statement about feature changes. Every advisory about phishing patterns. Every retrospective. If a message from the operator does not carry a valid signature from this key, it is not from the operator.

The fingerprint anchor

The fingerprint is 40 hexadecimal characters split into 10 groups of 4. The reader's job is to record the fingerprint once, from two independent sources, and refer back to it on every future verification.

The Bureau does not publish the specific fingerprint on this page. This is deliberate: if we published it, and this page were ever compromised, an attacker could poison the fingerprint alongside a fake key. Readers are expected to fetch the fingerprint from Dread and from a mirror's /pgp path themselves.

Cross-check method

Fetch the key from Dread. Fetch the key from a mirror /pgp path. Run gpg --import on both fetched files into a fresh keyring. Compare the fingerprints with gpg --list-keys --with-fingerprint. If they match, the key is genuine (with high confidence). If they do not match, at least one source is compromised, and the reader should assume the worst and not import either key until the situation clarifies.

Key stability history

See the case study on the key that has not rotated. Two years of stability. Every signed rotation post verifies against the same fingerprint. No editor has ever needed to publish a bad-signature warning about a message signed under this key.

What happens if the key is ever compromised

An attacker with the private key can sign anything, including fake rotations, and it will verify against every reader's keyring. The reader has no way to detect this without out-of-band information.

Defence in depth here means the operator keeps the private key on hardware or air-gapped storage, and defence for the reader means watching for out-of-character behaviour (a rotation that lands on an address that behaves oddly, a captcha string that does not match the URL bar, a login page that looks slightly different). If in doubt, do not log in.

Key rotation, if it ever happens

A key rotation would be announced under the outgoing key, with the new public key attached and cross-signed. The reader verifies the announcement under the outgoing key, checks the new key fingerprint against multiple sources, imports the new key, and updates their trust anchor. Any key rotation that skips the cross-signature step is not from the operator.

What to store on your side

The imported operator public key. The fingerprint (written down on paper, in a password manager, or in an encrypted local note). The date you first imported the key. Ideally, a screenshot of the two Dread posts and /pgp paths you cross-checked against, in case you ever need to prove to yourself later that the fingerprint has not changed on you.