Onhttps://dependency-check.github.io/DependencyCheck/dependency-check-cli/index.html#Installation_.26_Usage a procedure is given to verify downloads with gpg.

Ongpg --verify dependency-check-12.1.9-release.zip.asc I get:

gpg: assuming signed data in 'dependency-check-12.1.9-release.zip'
gpg: Signature made 11/11/25 13:31:51 W. Europe Standard Time
gpg: using RSA key 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
gpg: Good signature from "Jeremy Longjeremy.long@gmail.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 259A 5540 7DD6 C002 99E6 607E FFDE 55BE 73A2 D1ED

Did you intend to use an untrusted signature?