As per https://www.jenkins.io/changelog-stable/ release 2.249.1 "switches agent.jar and remoting.jar to a code-signing certificate owned by the CDF". This is indeed the case as can be verified by downloading the said jenkins.war, unzipping it and running
jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.5.jar
This certificate is used up until release 2.303.2 but then for some reason in 2.303.3 this happens:
jarsigner -verbose:summary -verify WEB-INF\lib\remoting-4.10.1.jar
s 131429 Fri Oct 22 16:49:26 EEST 2021 META-INF/MANIFEST.MF
131410 Fri Oct 22 16:49:26 EEST 2021 META-INF/JENKINS.SF (and 1 more)
0 Fri Oct 22 16:49:08 EEST 2021 META-INF/ (and 80 more)
sm 1137 Fri Oct 22 16:48:42 EEST 2021 META-INF/annotations/org.kohsuke.accmod.Restricted (and 942 more)
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=Unknown, OU=Jenkins project, O=Continuous Integration Server, L=San Jose, ST=California, C=US"
Digest algorithm: SHA-256
Signature algorithm: SHA256withDSA, 1024-bit key
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2021-01-30).
Re-run with the -verbose and -certs options for more details.