So I gather from your approach, you'd be OK with simple micalg
parameters like SHA-1 and MD5.
Sure would. Frankly, I think we botched it when we assigned pgp-md5. While
it is true that PGP adds stuff to the signature calculation besides the
signed data, I think a better course of action would have been to simply
note that this is in fact the case, that the signature state should
be passed to the signature verifier without being finalized, and we should
have stuck with md5 (or sha-1 or whatever digests PGP is now using).