In phar default signature is still SHA-1
which is no more considered add secure
Proposal: switch to SHA256 by default
Old algo are not removed, at least they
are required to check old archives.
Perhaps could make sense to raise a warning
In smp, auth protocol only support MD5 and SHA-1
rfc-7860 recommends SHA256 and SHA512
As minor self-contained change, probably don't
worth an RFC.
Please comment on PR