What a signature proves, and the check that proves it.
A PGP signature on the node list is how you know an address came from Osiris and not an impersonator.
Two things at once. That the message was signed by the holder of a specific private key, and that not one byte has changed since. For a node list, the addresses provably came from whoever holds the market key.
Fetch the market key once from two independent places, cross-check the fingerprint, and import it. Save the signed list, run the verify with GnuPG, and look for the good-signature line naming the market key. A warning that you have not certified the key is normal. A bad-signature line means the list was altered, and you trust none of it.