FWIU, currently --verify considers a signature trusted if it is made using a key that has at least one trusted UID. This is suboptimal for batch checking since it means that a person whose identity I've verified in the past can add a forged UID and while it will be untrusted, a lot of programs will happily assume that the signature is trusted.
Of course, this currently be solved at program level. However, it's quite inconvenient (a lot of plumbing work in the end), and upstreams actively refuse to do it. For example, Evolution maintainers closed a report of this problem, claiming that changes on GnuPG must happen first.
I believe it would be helpful if GnuPG had an additional option to specify the apparent UID (e-mail address) that the signature is expected to originate from. If this option is used, GnuPG should consider a signature trusted only if the signing key has a matching UID and that UID is trusted. Otherwise, it should consider the signature untrusted even if the key is normally considered trusted.
$ gpg --verify test.gpg gpg: Signature made Wed Oct 30 17:44:59 2019 CET gpg: using RSA key C76A845094098D28CC8B26C5639ADAE2329E240E gpg: Good signature from "Michał Górny (Gentoo) <email@example.com>" [ultimate] gpg: aka "keybase.io/mgorny <firstname.lastname@example.org>" [ultimate] gpg: aka "Michał Górny (XMPP) <email@example.com>" [ultimate] gpg: aka "Michał Górny (NetBSD) <mgorny@NetBSD.org>" [ultimate]
BUT if I did:
$ gpg --new-fancy-uid-option firstname.lastname@example.org --verify test.gpg
it would report the signature as untrusted because email@example.com is not a trusted UID on that key.