My GPG setup has broken again and I’m postponing publishing new versions of libraries because of that. I’m thinking that maybe I should just give up on signing JARs because as far as I know, nobody actually does anything with the signatures. Personally I’m using deps.edn nowadays and I’m not even sure if anyone has come up with a way to check the signatures with deps.edn. Previously I thought that I should sign the JARs because somebody would hypothetically build a tool and a workflow the check signatures, but this has not happened.
Are there any arguments for signing jars? Is checking signatures part of anyone’s workflow?