Allow hash type selection in API
Right now we only sign packages with SHA-256 (Adélie requirement). As upstream is quite satisfied with the insecure SHA-1 hash and does not plan to merge our SHA-256 code in, we should find a way to handle SHA-1 hashes so that we can interop better with their packages.