Restrict allowed classes during deserialization of signature files

[Marcono1234]

Because signature files are created using Java Serialization, adds a new SignatureObjectInputStream which restricts the classes which are allowed to be loaded when reading signature files to increase security.

I hope these changes are fine security-wise, but please let me know if I overlooked something or failed to consider something.

I have tested these changes with the following signatures to make sure that they can still be loaded successfully:

• org.codehaus.mojo.signature:java12:1.0
• org.codehaus.mojo.signature:java18:1.0
• net.sf.androidscents.signature:android-api-level-1:1.0_r2
• net.sf.androidscents.signature:android-api-level-32:12_r1
• com.toasttab.android:gummy-bears-api-19:0.0.2
• com.toasttab.android:gummy-bears-api-33:0.5.1

But feel free to perform additional tests to be safe

Relates to #252 But I don't think this resolves that issue fully or renders it obsolete. A different file format which is inherently safer would still be better than having to implement additional security measures on top of Java Serialization, as done in this pull request.

[Marcono1234]

Thanks for your reviews! I just noticed a small typo in the tests and have pushed a commit for that and merged the changes from master into this branch; I hope that is ok. Please let me know if I should squash the commits of this PR.