That is a rule file.  In the sa-update man page you will see it documented:

 --gpgkey
           sa-update has the concept of "release trusted" GPG keys.  When an archive is downloaded and the signature
           verified, sa-update requires that the signature be from one of these "release trusted" keys or else verifi[36;1H:
           cation fails.  This prevents third parties from manipulating the files on a mirror, for instance, and sign[36;1H:
           ing with their own key.

           By default, sa-update trusts key ids "24F434CE" and "5244EC45", which are the standard SpamAssassin release
           key and its sub-key.  Use this option to trust additional keys.  See the --import option for how to add
           keys to sa-update's keyring.  For sa-update to use a key it must be in sa-update's keyring and trusted.

           For multiple keys, use the option multiple times.  i.e.:

                   sa-update --gpgkey E580B363 --gpgkey 298BC7D0

           Note: use of this option automatically enables GPG verification.

The reason for submitting this bug, was the following text on https://spamassassin.apache.org/downloads.cgi?update=201809160000

"GPG Signing Key
If you want to use GPG to verify the downloads listed above, please use the SpamAssassin Release GPG Keys to verify them."

The rules file is one of the files mentioned above and is listed with a GPG signature. It is mentioned nowhere on this page that verifying this archive requires a different key.

Agreed.  Do you have suggest language to fix?

Mentioning that the rules archive requires a different key (available from https://spamassassin.apache.org/updates/GPG.KEY) would have tipped me off.

Thank you for your persistence.  I agree this is confusing and you'll find the KEYS file should be clearer now:

Check  https://spamassassin.apache.org/KEYS and 
https://www.apache.org/dist/spamassassin/KEYS