I'm suggesting phasing out SHA1, and during a v1.x to v1.x+1 upgrade do a migration script for all content to gain (say) BLAKE2 hashes *instead*, and for that install, client's with incompatible hashing are rejected.
There are alternates too, where up to a moment in time a repo has SHA1s, and thence after has some other algo.
