WHY IS TURBOTAX DESKTOP STILL USING SHA1 SIGNATURES ON ITS SOFTWARE WHEN MICROSOFT DEPRECATED THAT FORM OF SIGNATURE WHICH RESULTS IN THE "UNKNOWN PUBLISHER" WARNING?

Microsoft deprecated sha1 signatures in 2019 in favor of sha256 signatures which can't be spoofed. Why does an allegedly professional software company still use sha1 signatures now, two years too late?