How do I verify a PGP-signed mirror list?
Import the market key once, run gpg verify on the signed list, and look for the good-signature line.
Short answer. Fetch the market public key once from two independent places, cross-check the fingerprint, import it, then run GnuPG verify on the signed list and look for the line that says the signature is good and names the market key.
What it proves
A signature proves the list was signed by the holder of a specific key and that not one byte has changed since. That means the addresses came from the market and nobody edited them.
Reading the result
A good-signature line is success. A warning that you have not certified the key is normal and expected. A bad-signature line means the list was altered, and you trust none of the addresses in it. Do not re-fetch the key each time, because that is another chance to be handed the wrong one.