MAR files should be signed with a modern signature algorithm.
Mostly theoretical, and may be just a case of out of date upstream documentation.
https://wiki.mozilla.org/Software_Update:MAR
1: RSA-PKCS1-SHA1 (2048 bits / 256 bytes)
We should patch the MAR related code to add something more suitable to our adversary model, though what's used now should be "adequate" for the near term future.