Use stronger digest algorithm for index signing

F-Droid uses SHA1withRSA for index.jar signing. But in recent years, collision attacks against SHA1 is becoming practical and the cost is getting lower (https://en.wikipedia.org/wiki/SHA-1#Attacks).

Since metadata serves as an essential layer of defense against package tampering, please consider using a stronger digest algorithm, like SHA256, for metadata signing.