Hockeypuck is an OpenPGP keyserver that allows users to publish, search, and retrieve PGP public keys for secure communication. It is designed for federation with other keyservers and supports a high-performance, scalable architecture.
🛠️ Usage
1. Public PGP Key Directory
- Organizations, security researchers, and privacy-focused users can publish and retrieve PGP keys for encrypted email and document verification.
- Similar to SKS Keyserver, but actively maintained and more scalable.
2. Enterprise PGP Key Management
- Companies can host a private keyserver for internal teams to share PGP keys securely.
- Prevents reliance on external keyservers like keys.openpgp.org.
3. Decentralized Identity and Key Distribution
- Used in federated PGP keyserver networks like Hockeypuck & SKS pools to distribute OpenPGP keys across multiple servers.
- Useful for distributed trust models where multiple organizations manage keys collaboratively.
4. Bitcoin & Nostr Applications
- Can be used alongside Nostr for key verification, ensuring public keys are retrievable for cryptographic signatures.
- Useful in Bitcoin applications where PGP-signed messages confirm identity.
5. Software Package Signing
- Developers and package maintainers can sign software updates using OpenPGP, and end users can fetch public keys from Hockeypuck to verify authenticity.
- Example: Debian and Arch Linux package signing.
6. Secure Messaging
- Supports secure email systems using PGP-encrypted mail (e.g., ProtonMail, Thunderbird + Enigmail, Mailpile, etc.).
📌 Key Benefits
✅ Docker-Based Deployment → Easily installable with Docker and docker-compose.
✅ Federated Keyserver → Can join existing PGP keyserver networks.
✅ High-Performance Storage → Uses PostgreSQL for better performance than older SKS keyservers.
✅ Supports HTTP & HTTPS → Can be hosted publicly with TLS encryption.
✅ Fully Open Source → Maintained as a modern alternative to SKS.
🔑 Signing a Nostr Event Using PGP & Verifying It on a Relay
If Alice wants to prove she controls npub1xyz... using PGP, she can sign a Nostr event and publish both the event and signature.
🔹 Step 1: Create a Nostr Event (Kind 0)
Alice generates a Nostr profile metadata event:
{
"id": "xxxxxxxxxxxxxxxxxx",
"pubkey": "npub1xyz...",
"created_at": 1700000000,
"kind": 0,
"tags": [],
"content": "{ \"name\": \"Alice\", \"about\": \"PGP Verified Nostr User\" }"
}
She saves this as nostr_event.json.
🔹 Step 2: Sign the Event with PGP
Alice uses GnuPG to sign the event:
gpg --clearsign --armor nostr_event.json
This creates nostr_event.json.asc, which contains the event with a PGP signature.
🔹 Example of the signed event:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
{
"id": "xxxxxxxxxxxxxxxxxx",
"pubkey": "npub1xyz...",
"created_at": 1700000000,
"kind": 0,
"tags": [],
"content": "{ \"name\": \"Alice\", \"about\": \"PGP Verified Nostr User\" }"
}
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbGSk4HTlMz5tG0tF0Y8fO3HTQYYFAmS8mOkACgkQ0Y8fO3HT
QYYX4w/+JwzbfM1EZ2F7H3yqbdGBJ2cGd...
-----END PGP SIGNATURE-----
🔹 Step 3: Upload the Signature to a Public Keyserver
Alice submits her signed Nostr event to the Hockeypuck keyserver:
curl --data-binary @nostr_event.json.asc https://keyserver.example.com/pks/add
🔹 Step 4: Publish the Event to a Nostr Relay
Alice publishes the original event to a Nostr relay:
curl -X POST https://nostr-relay.example.com/ -d @nostr_event.json
🔹 Step 5: Verification
Anyone can fetch Alice’s PGP-signed event and verify it:
curl "https://keyserver.example.com/pks/lookup?op=get&search=alice@nostr.example.com" | gpg --verify
If successful, it will show:
gpg: Good signature from "Alice <alice@nostr.example.com>"
✅ Use Cases
- Proving Ownership of a Nostr Public Key with PGP.
- Bitcoin Applications: PGP-signed messages can confirm identities for multisig coordination.
- Decentralized Web of Trust: Verifying Nostr users via signed events.
Additionally a simple JS or python script could automate signing process.
