🛠️ Usage

1. Public PGP Key Directory

• Organizations, security researchers, and privacy-focused users can publish and retrieve PGP keys for encrypted email and document verification.
• Similar to SKS Keyserver, but actively maintained and more scalable.

2. Enterprise PGP Key Management

• Companies can host a private keyserver for internal teams to share PGP keys securely.
• Prevents reliance on external keyservers like keys.openpgp.org.

3. Decentralized Identity and Key Distribution

• Used in federated PGP keyserver networks like Hockeypuck & SKS pools to distribute OpenPGP keys across multiple servers.
• Useful for distributed trust models where multiple organizations manage keys collaboratively.

4. Bitcoin & Nostr Applications

• Can be used alongside Nostr for key verification, ensuring public keys are retrievable for cryptographic signatures.
• Useful in Bitcoin applications where PGP-signed messages confirm identity.

5. Software Package Signing

• Developers and package maintainers can sign software updates using OpenPGP, and end users can fetch public keys from Hockeypuck to verify authenticity.
• Example: Debian and Arch Linux package signing.

6. Secure Messaging

• Supports secure email systems using PGP-encrypted mail (e.g., ProtonMail, Thunderbird + Enigmail, Mailpile, etc.).

📌 Key Benefits

✅ Docker-Based Deployment → Easily installable with Docker and docker-compose.
✅ Federated Keyserver → Can join existing PGP keyserver networks.
✅ High-Performance Storage → Uses PostgreSQL for better performance than older SKS keyservers.
✅ Supports HTTP & HTTPS → Can be hosted publicly with TLS encryption.
✅ Fully Open Source → Maintained as a modern alternative to SKS.

🔑 Signing a Nostr Event Using PGP & Verifying It on a Relay

If Alice wants to prove she controls npub1xyz... using PGP, she can sign a Nostr event and publish both the event and signature.

🔹 Step 1: Create a Nostr Event (Kind 0)

Alice generates a Nostr profile metadata event:

{
  "id": "xxxxxxxxxxxxxxxxxx",
  "pubkey": "npub1xyz...",
  "created_at": 1700000000,
  "kind": 0,
  "tags": [],
  "content": "{ \"name\": \"Alice\", \"about\": \"PGP Verified Nostr User\" }"
}

She saves this as nostr_event.json.

🔹 Step 2: Sign the Event with PGP

Alice uses GnuPG to sign the event:

gpg --clearsign --armor nostr_event.json

This creates nostr_event.json.asc, which contains the event with a PGP signature.

🔹 Example of the signed event:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

{
  "id": "xxxxxxxxxxxxxxxxxx",
  "pubkey": "npub1xyz...",
  "created_at": 1700000000,
  "kind": 0,
  "tags": [],
  "content": "{ \"name\": \"Alice\", \"about\": \"PGP Verified Nostr User\" }"
}
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbGSk4HTlMz5tG0tF0Y8fO3HTQYYFAmS8mOkACgkQ0Y8fO3HT
QYYX4w/+JwzbfM1EZ2F7H3yqbdGBJ2cGd...
-----END PGP SIGNATURE-----

🔹 Step 3: Upload the Signature to a Public Keyserver

Alice submits her signed Nostr event to the Hockeypuck keyserver:

curl --data-binary @nostr_event.json.asc https://keyserver.example.com/pks/add

🔹 Step 4: Publish the Event to a Nostr Relay

Alice publishes the original event to a Nostr relay:

curl -X POST https://nostr-relay.example.com/ -d @nostr_event.json

🔹 Step 5: Verification

Anyone can fetch Alice’s PGP-signed event and verify it:

curl "https://keyserver.example.com/pks/lookup?op=get&search=alice@nostr.example.com" | gpg --verify

If successful, it will show:

gpg: Good signature from "Alice <alice@nostr.example.com>"

✅ Use Cases

1. Proving Ownership of a Nostr Public Key with PGP.
2. Bitcoin Applications: PGP-signed messages can confirm identities for multisig coordination.
3. Decentralized Web of Trust: Verifying Nostr users via signed events.

Additionally a simple JS or python script could automate signing process.