keymanager can_upgrade is not checking the validity of the key signature
It is using key.signatures that only has in the gpg keyring it's own key, it's missing the signing keys to be able to check the validity of the signatures.
As OpenPGPKey doesn't know about other keys we could add a method is_signed_by and pass the key that we care to check.
(from redmine: created on 2016-05-18)