Created attachment 114876 [details] sample mail "signed" with CSS/HTML In kmail signed mails are indicated by a green border around the mail content. This can be almost perfectly simulated by rebuilding that border with an HTML table. I've attached an example and screenshots of both a fake and a real mail (they're visually identical, except for some minor font rendering details that are invisible when not zooming in). In the message list there's a small symbol indicating a signed message, so there they can be distinguished, although I doubt anyone will notice. If a message is opened in its own window there's no way to distinguish fake from real. The problem here is with the fact that a security indicator is part of an "attacker-controlled" space, i.e. the content of a mail that gives the other party extensive layout options.
Created attachment 114877 [details] fake mail
Created attachment 114878 [details] real mail
Indeed I confirm this bug. I will investigate how I can fix it.
Git commit a19720ae8e0aa2074fe4f055bc0464948bdd0d36 by Laurent Montel. Committed on 11/09/2018 at 05:07. Pushed by mlaurent into branch 'master'. Fix Bug 398454 - GPG signatures can be faked with HTML/CSS FIXED-IN: 5.10.0 M +27 -5 messageviewer/src/header/grantleeheaderformatter.cpp M +18 -2 messageviewer/src/messageviewerheaderplugins/defaultgrantleeheaderstyleplugin/theme/5.2/header.html https://commits.kde.org/messagelib/a19720ae8e0aa2074fe4f055bc0464948bdd0d36