Consider improving dependency sig checking in the build

See something like https://github.com/s4u/pgpverify-maven-plugin 

Also, read through https://medium.com/netcracker/dependency-verification-checksum-vs-pgp-582e76207019 for more nuance around securing a build.