Signing algorithm: Support for SHA256 / ECDSA Elliptic Curves

The sign_jar function currently contains this docstring:

This does use old hashing algorithms, i.e. SHA1, but that's not
broken yet for file verification.  This could be set to SHA256,
but then Android < 4.3 would not be able to verify it.
https://code.google.com/p/android/issues/detail?id=38321

I'm sure this decision made sense 7 years ago, but maybe it is time to drop support for Android <4.3 and use a more sensible algorithm like SHA256withECDSA (https://android-review.googlesource.com/c/platform/libcore/+/44491)?

There's always a tradeoff between security and compatibility. Compatibility is usually at conflict with security, so a reasonable tradeoff needs to be found. What are the project's support policies with regards to the Android version?