Here you can find many details about the design and implementation of NeoPG, and the challenges along the way.
This attack on GnuPG signature verification is specific to yarn, the package manager. It can give a powerful attacker the ability to replace the Yarn installation with arbitrary code. There are additional protections in place, so if you are using Yarn, you probably do not need to worry too much about it.
This attack on GnuPG signature verification is specific to pass, the Simple Password Store. It can give the attacker access to passwords and remote code execution.
This is another attack to spoof digital signatures specific to Enigmail.
GnuPG, Enigmail, GPGTools and potentially other applications using GnuPG can be attacked with in-band signaling similar to phreaking phone lines in the 1970s (“Cap’n Crunch”). We demonstrate this by creating messages that appear to be signed by arbitrary keys.
I found out that it is possible to create a message that looks encrypted in GnuPG and many email clients, but where the plaintext is actually not protected at all.
A group of researchers at the University of Applied Sciences Münster under the lead of Sebastian Schinzel have uncovered a bunch of problems in email encryption, specifically S/MIME and OpenPGP. The results should be a wake-up call for the OpenPGP community.
NeoPG uses formal grammars even for parsing trivial data structures, down to individual bytes. This article explains why.
NeoPG is written in C++, while GnuPG is written in C. This article explains why.
I gave a lightning talk about NeoPG at the 34c3 and talked to some people in the community.
NeoPG will not have long-running daemons. This article explains why.