SHA-1, are you kidding me? Nobody uses that! Guess again my friend. Although it has been slowly phased out over the past five years, it remains far from being fully deprecated. It's still the default hash function for certifying PGP keys in the legacy 1.4 version branch of GnuPG, the open-source successor to PGP application for encrypting email and files. Those SHA1-generated signatures were accepted by the modern GnuPG branch until recently, and were only rejected after the researchers behind the new "chosen-prefix" collision attack privately reported their results. Here is a link to the academic paper "SHA-1 is a Shambles".