steps

publishSigned (via sbt-pgp)

problem

This will create sha1 for *.asc, like https://repo1.maven.org/maven2/com/github/sbt/sbt-ci-release_2.12_1.0/1.11.0-RC3/sbt-ci-release_2.12_1.0-1.11.0-RC3.pom.asc.sha1

expectation

Checksum files should not be created for asc?

The issue appears to be that sbt/sbt-ci-release is attempting to publish checksums for signature files (eg jar.asc.sha1).
It is the norm that only the raw files have checksums (eg jar files).
Example: https://repo1.maven.org/maven2/tools/jackson/module/jackson-module-scala_2.13/3.0.0-rc5/

workaround

Use publish for snapshots?

Originally posted by @pjfanning in sbt/sbt-ci-release#369 (comment)