When verifying files signed by a “Fully” validated key, it says the key has a trust level of undefined. I edited the key to mark it as fully trusted. I have tried with a file that I self signed with an ultimately trust key and it works, then I reduced to fully and I get the same.
###################################################
C:\Users\Andrew>gpg --edit-key “tor”
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/93298290 created: 2014-12-15 expires: 2020-08-24 usage: C
trust: full validity: unknown
sub 4096R/F65C2036 created: 2014-12-15 expires: 2017-08-25 usage: S
sub 4096R/D40814E0 created: 2014-12-15 expires: 2017-08-25 usage: S
The following key was revoked on 2015-08-26 by RSA key 93298290 Tor Browser Developers (signing key) torbrowser@torproject.org
sub 4096R/589839A3 created: 2014-12-15 revoked: 2015-08-26 usage: S
[ unknown] (1). Tor Browser Developers (signing key) torbrowser@torproject.org
###################################################
###################################################
C:\Users\Andrew>gpg --verify “C:\Users\Andrew\Downloads\torbrowser-install-6.0.2_en-US.exe.asc”
gpg: assuming signed data in ‘C:\Users\Andrew\Downloads\torbrowser-install-6.0.2_en-US.exe’
gpg: Signature made 06/20/16 07:48:31 Central Daylight Time using RSA key ID D40814E0
gpg: Good signature from “Tor Browser Developers (signing key) torbrowser@torproject.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
###################################################
Running Windows 10 Pro 64bit. Gpg4Win 2.3.1, GnuPG 2.0.30
###################################################
C:\Users\Andrew>gpg -v --verify “C:\Users\Andrew\Downloads\torbrowser-install-6.0.2_en-US.exe.asc”
gpg: assuming signed data in ‘C:\Users\Andrew\Downloads\torbrowser-install-6.0.2_en-US.exe’
gpg: Signature made 06/20/16 07:48:31 Central Daylight Time using RSA key ID 2E1AC68ED40814E0
gpg: Note: signature key 2D000988589839A3 has been revoked
gpg: using subkey 2E1AC68ED40814E0 instead of primary key 4E2C6E8793298290
gpg: Note: signature key 2D000988589839A3 has been revoked
gpg: using pgp trust model
gpg: Good signature from “Tor Browser Developers (signing key) torbrowser@torproject.org” [unknown]
gpg: Note: signature key 2D000988589839A3 has been revoked
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
your GnuPG uses the “web of trust” model (technically named “pgp”).
You can see this in the “-v” output, it says “using pgp trust model”.
(I know that the terms are somewhat confusing within the applications
and various documentations. The reason is: this has grown over time and there
never was nor is enough available person power to do a major overhaul.)
The value “validity: unknown” in your first post means that within this model GnuPG cannot determine if the pubkey 4096R/93298290 really belongs to torbrowser@torproject.org
as the pubkey claims. Thus you get the warning " This key is not certified with a trusted signature!".
The “trust: full” means that you trust the pubkey as an indicator that other pubkeys,
those which are signed by (the subkeys of) 4096R/93298290 belong to the indicated
“owners”. The GnuPG FAQ speaks about “ownertrust” here.
If you are sure that the pubkey belong to torbrowser@torproject.org, you could
sign or localsign it with your our key.
Best Regards,
Bernhard
ps: Please consider to financially support Gpg4win if you like this answer and our work. https://www.gpg4win.de/donate.html