MD5 APK signatures are still supported by Android and, for example, are accepted by Google Play when you upload an APK there.
What happened with jarsigner
and apksigner
is that these tools use Sun/Oracle’s PKCS #7 classes to verify JAR signatures of APKs. In recent versions of Java, these classes were switched to reject MD5 signatures by default, unless special command-line parameters are provided to the JVM.
apksigner
has now switched to using its own PKCS #7 codebase which accepts MD5 signatures because Android does so. Unfortunately, apksigner
version 0.8
which contains this change is not yet out (as of Aug 23 2017). It will be released in the next release of Android SDK Build Tools. If you’re desperate to try it out until then, the source code is at platform/tools/apksig - Git at Google.