We have users with our Android App that have Android 5 and major and we know that there is a security patch to avoid in them the Janus vulnerability, allowing that old Android versions to accept the v2 sign of the .apk. Then, we are trying to build an .apk without the JAR v1 sign (enableV1Signing false) for Android 5 or major and the build works. But then apksigner say "DOES NOT VERIFY" and also when we try to upload the .apk to the Store it is rejected. So, does it possible to avoid the v1 sign for Android 5 or major? If not, how we can publish the app excluding the users with Android 5 and 6 who haven't the Janus security patch installed? Thanks in advance.
V2 signing was introduced in Android 7, so there is no way to escape v1 signing for users on Android 5 and 6.
In Google Play, you can upload multiple APKs in one release, so if you really wanted, you could upload one APK with minSdkVersion=21 with v1 and v2 signatures, and another one with minSdkVersion=24 with v2 signature alone. You will need to make sure that the latter one (24) has a higher versionCode than the former (21) to ensure that they are served as you expect to your users.