Well, the JDK signature API is extensible and might extend to other implementations too. Can I safely assume that other then EC, all implementations have an exact corresponding SHA256with + implementation counterpart?
I don't think we can rely on that. But my thoughts are to either make the "auto-algorithm" robust enough to at support all standard ciphers (it's not far from that), or don't offer it at all and make the user always supply the algorithm name. (Which loses convenience.)
Yes, I would support offering both with overloading.
It's correct that we need that on verify time as well, but won't the developer of the launcher know exactly what kind of key the provider of the business app config used? (I mean, they have to exchange the key, so why not also exchange its properties? It is usually also determinable from the beginning of the key string.)
We could also write that algorithm as an argument of the configuration XML for piece of mind.