You can read more about this tool in the offical guide: jarsigner - JAR Signing and Verification Tool.
Signing or verifying a Java archive which is neither a project artifact nor an attached artifact can be done by using the archive parameter of the sign and verify goals. If this parameter is set, the goals will process the specified archive and will not process any project artifacts.
To remove any existing signatures from the JARs before signing with your own key, simply set the parameter removeExistingSignatures of the sign mojo to true. The resulting JAR will then appear to be signed exactly once.
To fix the problem, just move the assembly execution so it comes after the jarsigner execution in the pom.
The whole story of the problem can be found in MJARSIGNER-13 issue.