Mention JAR signing key in SECURITY.md

This commit adds a link to the now published information on spring.io
about the GPG key used to sign the Spring artifacts published on Maven
Central.

Closes gh-23434

Author: bclozel

SECURITY.md

@@ -1,5 +1,10 @@
 # Security Policy
 
+## JAR signing
+
+Spring Framework JARs released on Maven Central are signed.
+You'll find more information about the key here: https://spring.io/GPG-KEY-spring.txt
+
 ## Supported Versions
 
 Please see the