I mean, does it matter if the wrapper is not signed as long as the wrapped jar is signed?
It mostly depends on the requirement on the consumer side. For most technologies, no-one seems to care about signatures inside jars; SimRel does.
> I would like to have a chance of discovering if someone tampered
artifacts on my machine *after* installation. Checksums help with
installation but not after installation.
This is IMO not the issue signing is about.
Checking the last modification date of the file is sufficient to know when an artifact has been tampered. Keeping checksums of baseline vs current can also help. For some previous company I was working on, a checksum was requested for all files under the plugins/ folder to verify whether artifacts were tampered compared to the provided set. No signing was involved.