I have just run into this problem as well. I need to implement https://community.developer.atlassian.com/t/action-required-atlassian-connect-installation-lifecycle-security-improvements/49046#running-a-custom-implementation-6 and have become stuck because I am being given the Public Key and I need to verify the JWT but I don’t have the Public Key.
I think that we need a Public Key only signer that will fail if you try and encode using it. We could probably even update the types so that you can provide different signers to the encode and decode phases.
This issue is now fixed in 0.11.0