The jar files provided on maven doesn't have a pgp signature provided with them.

This makes it hard to verify the authenticity of the packages that we download.

This is a copy of #PLANNER-329 but as we depend on both projects it would be good to have this in place here also.