A multiversal crypto engine.

NeoPG is a modern replacement for GnuPG 2

NeoPG starts as an opiniated fork of GnuPG 2 to clean up the code and make it easier to develop.

We want to provide a stable and extensible API for application developers, too.

Eventually, we will add new ways to use OpenPGP that make it accessible and usable.

Marcus Brinkmann

Marcus Brinkmann, lead developer of NeoPG

Recent Blog Entries

SigSpoof 4: Bypassing signature verification in Yarn package manager (CVE-2018-12556)

This attack on GnuPG signature verification is specific to yarn, the package manager. It can give a powerful attacker the ability to replace the Yarn installation with arbitrary code. There are additional protections in place, so if you are using Yarn, you probably do not need to worry too much about it.

SigSpoof 3: Breaking signature verification in pass (Simple Password Store) (CVE-2018-12356)

This attack on GnuPG signature verification is specific to pass, the Simple Password Store. It can give the attacker access to passwords and remote code execution.

SigSpoof 2: More ways to spoof signatures in GnuPG (CVE-2018-12019)

This is another attack to spoof digital signatures specific to Enigmail.

SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020)

GnuPG, Enigmail, GPGTools and potentially other applications using GnuPG can be attacked with in-band signaling similar to phreaking phone lines in the 1970s (“Cap’n Crunch”). We demonstrate this by creating messages that appear to be signed by arbitrary keys.