I think @iancarroll is pointing out that you seem to be conflating signature and identity verification. They are different concerns, yet both are both necessary for secure software distribution.

Fine if you reject web-of-trust style identity verification, but your notion of "web identity verification" is not in any way a good substitute for code signature verification. What if someone compromises your hosted repository? Unless your artifact were already cryptographically signed, no amount of identity verification is going to help you.

That's very true. That's why Bintray has both "web identity verification" and pgp signing, while Maven Central gives you signing only, without a way to really identify the author.

Fwiw, Bintray requires the private key and passphrase to do the signing. This isn't really proper key handling and has been pointed out before.

Brian, how ignorant of you (again). The docs on signing are public, you could read before spreading FUD.