Yes, this is important: Maven Central/Sonatype only checks if the submitted artifacts are signed (regardless of the used key).

The work is shifted to client, but there's currently no standardized way on how to verify dependencies and plugins.

There's an issue in the Maven bug tracker with the idea to extend the POM to allow trust information: https://issues.apache.org/jira/browse/MNG-6026