This commit introduces a dedicated SignatureHashAlgorithmPolicy for certification signatures. The default configuration will accept SHA-1 on sigs created before 2023-02-01.