It seems to my casual observation, that switching it to generate SHA1 signatures wouldn't be too hard, given it's using OpenSSL, and OpenSSL has a sha.h file. I really wouldn't know where to start, though, and ideally it should continue to verify existing MD5 signatures, so it's more than just changing an include and a few function calls.
To boot, upstream seems to have disappeared, so it's looking like removal is the best option. The popcon numbers for this package aren't very high either, which is another nail in the coffin.
So if someone reading this cares about elfsign in Debian enough to send me a patch to use SHA1 in the next month or so, I won't file a removal request.