If you run "sa-update -D" and see something like this:
 dbg: gpg: calling gpg
 dbg: gpg: gpg: Signature made Thu 18 Oct 2007 02:54:04 AM EDT using RSA key ID 24F434CE
 dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
 dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more
 dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1192690444 1
 dbg: gpg: gpg: Can't check signature: general error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
channel: GPG validation failed, channel failed
 dbg: generic: cleaning up temporary directory/files
 dbg: diag: updates complete, exiting with code 4
Then you need to download an updated sa-update key.
As bug 5775 describes, the GnuPG developers decided to create a new error condition for a potentially-dangerous signature style, which unfortunately was one we use for the SpamAssassin update-signing key.
Running this should fix it:
sa-update --import GPG.KEY