apk.static signature verification fails on Fedora 41, requires legacy crypto policies

Trying to use pmbootstrap doesn't work on Fedora 41 by default, printing the following error:

(026959) [05:57:50] Verify apk.static signature with /home/robert/git/pmbootstrap/pmb/data/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub
(026959) [05:57:50] % openssl dgst -sha1 -verify /home/robert/git/pmbootstrap/pmb/data/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub -signature /tmp/pmbootstrap0ofyl9ztsig /tmp/pmbootstrap_z843sakapk
Error setting context
8072556F917F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
(026959) [05:57:50] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(026959) [05:57:50] NOTE: The failed command's output is above the ^^^ line in the log file: /home/robert/.local/var/pmbootstrap/log.txt
(026959) [05:57:50] ERROR: Failed to validate signature of apk.static. Either openssl is not installed, or the download failed. Run 'pmbootstrap zap -hc' to delete the download and try again.

A workaround is to run update-crypto-policies --set LEGACY (reset: update-crypto-policies --set DEFAULT)

---

IIUC we'd need to stop using sha1 here and use at least sha256, however in order to do that the signatures would need to get recreated accordingly if I'm not mistaken.