Many of these GPG signatures are signed with SHA-1 which is vulnerable to a second-preimage attack according to new research.
Our initial estimations were $1 million to compute the chosen-prefix collision, which is an amount of money we simply don’t have. Thanks to our latest improvements, the cost went down below $100,000 and we are currently working on computing the first chosen-prefix collision for SHA-1.
- https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/
Also, signatures can only get you so far. You also need Gradle/Maven to tie the identity of the JAR to the author of the artifact in a meaningful way.