the comments that PGP chooses has always been very vague in my opinion and has created confusion for years. in case of OP the application is saying the "key" is not valid or in other words the key is not something that OP has in his trusted key database. and it says "signature" is OK but it is "uncertain" which is basically the same as what new versions are saying.
in other words a good signature is found but but the key is not in your apps database of trusted keys.
Correct. GPG has 4 kinds of verification result:
-
"Unknown key", which means there is no public key on the database that corresponds to the verification results.
-
"Key not valid", which means there is a public key corresponding to the verification results and the message verifies ok, but the users don't trust the owner of that key.
-
"Valid", which means that users trust the owner of the public key, and the message verifies ok.
-
"Bad", which means that the public key doesn't match with the signature.
So, "Key not valid" should be ok and the file isn't corrupted at all. CMIIW.