I don't know much about the first question, but note that it has been discussed
here and
here.
For the second question, I suppose that if you are confident that all the individuals who have write access to the remote machine are trustworthy, then you can trust the jar file even if it's unsigned. For example if the remote source is a machine owned and controlled by you, and only you have the password, then you might not bother signing a jar file that you place there. Circumstances like this may not be very common, but they can occur.
Good luck!
[This message has been edited by Jim Yingst (edited February 04, 2001).]