MD5 APK signatures are still supported by Android and are accepted by Google Play when you upload an APK there.
See https://forum.f-droid.org/t/many-old-unmaintained-apps-have-... for more discussion about this in the context of F-Droid. I believe F-Droid was (is) using Oracle jarsigner to verify APK signatures and this is what causing F-Droid to reject APKs with MD5 signatures.
I know for a fact they use MD5withRSA for some of their own apks including YouTube - https://www.josephkirwin.com/2016/05/05/humbled-by-md5/
* at least they did at the time that was written.