So continuing this way GPG is worthless in general. Most of the keys you can't verify in person so there is no trust whatsoever. In this case Sonatype is verifying key for you. They will check if your key belongs to you and you are in control of your organization. Otherwise package would not be accepted.

I may be wrong but source and javadoc are requirements. Maybe there are some old packages without it, but new ones should be complete.

> So each package has been signed, but anyone could have issued the keys, so an attacker could easily do the same.

Not true. The GPG signature means the key belongs to an account with access to the group id (namespace, usually a domain), and that sonatype has verified the group id belongs to the original admin account for that group id.

It's not a lot of guarantees, but you cannot just generate a GPG key, sign a package, and publish to maven central.

You could for example opt for TOFU. Then at least you’d be protected against a malicious takeover unless the attacker manages to access the maintainers private key. That’s been a pretty common issue in the recent past.