I understand that this can be done at release using the maven-gpg-plugin. However, I am not developing open source software. Do I still need to sign my own artifacts? What is the point of this? I thought that once my sources were compiled into a JAR, they were secure anyway? Thanks!
If you compile your sources into a jar is ok. But a jar a is simply zip file which can be simply unpacked by unzip/jar after that you can modify the contents of a jar which means you can simply change the contents and repackage that into a jar. So to say it clear: It's safe is simply wrong.
If you create your artifacts via maven you will deploy your artifacts to a repository manager and during the release process a SHA1 sum is created ...which can be checked during the usage of dependencies (download). The default configuration just prints out a warning if the checksum in the repository is not the same as calculated over the jar archive. You can if you like change the configuration to break the build if the checksum is wrong. The checksum is only to identify modifications of artifacts which is also not 100% safe cause it can happen that you have a man-in-the-middle-attack which might not only modifiy the contents of the jar and also the checksum. On the other hand the signing of an artifact is used to identify who has created that artifact. In some environments it does make sense to sign artifacts during the release process.
Update To prevent man-in-the-middle-attach the Maven central repository used for a long time https instead of http.