SHA1 algorithm is 'practically broken', see recent news https://shattered.io/
which under "What types of systems are affected?" say "Any application that relies on SHA-1 for digital signatures" and mention "Email PGP/GPG signatures"
The purism canaries are signed using SHA1 algo in:
https://puri.sm/warrant-canary/
https://github.com/purism/warrant-canary/tree/master/canaries
"—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1"
fix:
use SHA256 as signing algorithm for future canaries.