I have open sourced several of my projects and have published artifacts on sonatype.org. Is it important to sign your artifacts, does JBoss and other open source publishers sign their code?
It is important and is actually required to get your artifact synced with a trustable repository like Maven Central. From How to Generate PGP Signatures with Maven:
If you are developing software using Maven, you should generate a PGP signature for your releases. Releasing software with valid signatures means that your customers can verify that a software artifact was generated by the original author and that it hasn’t been modified by anyone in transit. Most large OSS forges like the Apache Software Foundation require all projects to be released by a release manager whose key has been signed by other members of the organization, and if you want to synchronize your software artifacts to Maven central you are required to provide pgp signatures.
Whether other people are doing it or not with their own repository is irrelevant.