“decades worth of email messages many people relied on for sensitive business or security matters may have in fact been spoofs”

“Applications such as Enigmail and GPGTools then cause email clients such as Thunderbird or Apple Mail to falsely show that an email was cryptographically signed by someone chosen by the attacker. All that’s required to spoof a signature is to have a public key or key ID.”

“The attacks are relatively easy to carry out.”

reference article by Ars Technica