SHA1 algorithm is 'practically broken', see recent news https://shattered.io/
which under "What types of systems are affected?" say "Any application that relies on SHA-1 for digital signatures" and mention "Email PGP/GPG signatures"
The purism canaries are signed using SHA1 algo in:
"—–BEGIN PGP SIGNED MESSAGE—–
use SHA256 as signing algorithm for future canaries.