Dockerfile: verify downloaded dependencies
go get ...
for dep
and swagger
allows for all sorts of nonsense. We should have a specific https URL that it downloads each of them from, and then verify the sha256sum of each of them before use. This is already done in the test builds in CI.