in other words a good signature is found but but the key is not in your apps database of trusted keys.
Correct. GPG has 4 kinds of verification result:
- "Unknown key", which means there is no public key on the database that corresponds to the verification results.
- "Key not valid", which means there is a public key corresponding to the verification results and the message verifies ok, but the users don't trust the owner of that key.
- "Valid", which means that users trust the owner of the public key, and the message verifies ok.
- "Bad", which means that the public key doesn't match with the signature.
So, "Key not valid" should be ok and the file isn't corrupted at all. CMIIW.