All Clojure and Clojure contrib jars are signed when they are uploaded to the Maven Central repo. A typical url in Maven Central will look something like:
Your dependency manager / build tool will download that file to your local Maven cache, usually:
You can append .asc to any jar or pom url in Maven to obtain the signature for that file:
curl -O https://repo1.maven.org/maven2/org/clojure/clojure/1.10.3/clojure-1.10.3.jar.asc
The Clojure key used to sign all jars is registered in the MIT key server (pgp.mit.edu):
9356 B31F 638B 658F B4DD F228 8D06 684A 958A E602
Clojure/core (build.clojure.org Release Key version 2) <firstname.lastname@example.org>
You can check this by verifying the jar with the signature:
$ gpg --verify clojure-1.10.3.jar.asc ~/.m2/repository/org/clojure/clojure/1.10.3/clojure-1.10.3.jar gpg: Signature made Thu Jun 6 08:43:47 2019 CDT gpg: using RSA key 8D06684A958AE602 gpg: Good signature from "Clojure/core (build.clojure.org Release Key version 2) <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9356 B31F 638B 658F B4DD F228 8D06 684A 958A E602
This reports a good signature (the content is what was signed) but warns that this key is not trusted in your GPG configuration. Marking the key as trusted is beyond the scope of this page but you can manually verify by comparing to the official key above.
To run gpg --verify, you may need to update your version of GPG and use a DNS server that can find the MIT key server (pgp.mit.edu).