The gnupg2 defaults still allow creation and verification of SHA-1 signatures by default. Even though it is still considered too computationally intensive to run a practical attack, it might not be the case in coming years. There is a ground for the disablement of weak digest algorithms with override --allow-weak-digest-algos and MD5 is already considered weak in signatures and not accepted anymore. I think the SHA-1 should follow rather sooner than later, given that we have options to override this using commandline arguments.
Is there some plan to disable SHA-1 signatures by including this in the weak algorithms list in close future?