[$] OpenPGP signature spoofing using HTML

Beyond just encrypting messages, and thus providing secrecy, the OpenPGP
standard also enables digitally signing messages to authenticate
the sender. Email applications and plugins usually verify these
signatures automatically and will show whether an email contains a valid
signature. However, with a surprisingly simple attack, it’s often possible
to fool
users by faking — or spoofing — the indication of a valid signature using
HTML email.

Source: LWN