Something I played around with following @vlsi hint here: #1488 (comment 38104) Feels much smoother than gradle witness and is actively maintained by @vlsi - so might be worth a look.
Switching between GPG and SHA512 is as easy as it gets. I used the default of GPG and sha512 as fallback here, sha512 only might be safer though?
Solves #1613