The signature of this message is valid but utrusted. That means it has not been tampered with. It is untrusted though, because the key has not yet been verified.
Yeah, you'll have to certify it somehow. Not a problem though.
So, is this enough? Should I do something more before I can fully trust this is a legit version?
Unless the PGP key has been compromised, which is quite unlikely, you can trust that this was signed by ThomasV. The fingerprint that I've imported matches yours, 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6. If you trust that the public key is accurate, then you've downloaded the legit version.