Description
maven-deploy-plugin is responsible for signing jar. However, it seems SHA-1 is hardcoded there.
In the latest apache parent pom (org.apache:apache:23) a checksum-maven-plugin is used as a workaround to sign jars with SHA-512. But it signs only source jar and do not affect binary jar.