There is a vulnerability where a public subkey could be attached to another certificate whose owner could then claim to have signed a document. To prevent such a scenario occurring, GnuPG now checks that signing keys are crosscertified before verifying signatures. Cross certification requires that subkeys sign the primary key to prove their authenticity. These “back” or “binding” signatures are embedded within the self-certification signatures that GnuPG adds to the signing subkeys – you can’t see them with --list-sigs.
Older versions of GnuPG or other OpenPGP applications may not have this feature and signing subkeys generated with these applications may lack the required binding signatures. Owners of such keys can resolve this with the cross-certify command available in the key editing mode of the latest gpg.
You can read the official explanation at www. gnupg.org/faq/subkey-cross-certify.html.