If you run "sa-update -D" and see something like this:
 dbg: gpg: calling gpg  dbg: gpg: gpg: Signature made Thu 18 Oct 2007 02:54:04 AM EDT using RSA key ID 24F434CE  dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified  dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information  dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1192690444 1  dbg: gpg: gpg: Can't check signature: general error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed  dbg: generic: cleaning up temporary directory/files  dbg: diag: updates complete, exiting with code 4
Then you need to download an updated sa-update key.
As bug 5775 describes, the GnuPG developers decided to create a new error condition for a potentially-dangerous signature style, which unfortunately was one we use for the SpamAssassin update-signing key.
Running this should fix it:
wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY