NeoPG

A multiversal crypto engine.

NeoPG is a modern replacement for GnuPG 2

NeoPG starts as an opiniated fork of GnuPG 2 to clean up the code and make it easier to develop.

We want to provide a stable and extensible API for application developers, too.

Eventually, we will add new ways to use OpenPGP that make it accessible and usable.

Marcus Brinkmann, lead developer of NeoPG

SigSpoof 3: Breaking signature verification in pass (Simple Password Store) (CVE-2018-12356)

This attack on GnuPG signature verification is specific to pass, the Simple Password Store. It can give the attacker access to passwords and remote code execution.

SigSpoof 2: More ways to spoof signatures in GnuPG (CVE-2018-12019)

This is another attack to spoof digital signatures specific to Enigmail.

SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020)

GnuPG, Enigmail, GPGTools and potentially other applications using GnuPG can be attacked with in-band signaling similar to phreaking phone lines in the 1970s (“Cap’n Crunch”). We demonstrate this by creating messages that appear to be signed by arbitrary keys.

Not everything that looks encrypted, is encrypted

I found out that it is possible to create a message that looks encrypted in GnuPG and many email clients, but where the plaintext is actually not protected at all.

NeoPG

A multiversal crypto engine.

NeoPG is a modern replacement for GnuPG 2

Recent Blog Entries

SigSpoof 3: Breaking signature verification in pass (Simple Password Store) (CVE-2018-12356)

SigSpoof 2: More ways to spoof signatures in GnuPG (CVE-2018-12019)

SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020)

Not everything that looks encrypted, is encrypted

Quick

Get Involved!

NeoPG needs your help