Not a lot you can do?
Anything that requires signatures is vulnerable to forgery if the signer's certificate specifies SHA1.
An attacker could forge:
1. Software signatures - to slip malware into a software vendor's distribution channels.
2. SSL certificates - to MITM web connections to phish, steal data, or distribute malware.
3. Personal digital signatures - to fabricate documents, including emails, transaction, orders, etc that are normally trusted implicitly due to the signature
4. Subordinate CA certificates - to create trusted certificates which permit all of the above
The problem lies with #4. The real risk is not a one-off duplicate of John Doe's smart card. The real danger is the CAs signed with SHA1 who are still trusted by browsers, applications, and OSes around the world. If an attacker counterfeits one of their certificates, he can issue arbitrary certificates for any web site, any software publishers, or any user.
The only solution is to discontinue the use of SHA1 internally and to revoke trust for all CAs that still use SHA1. Better crypto has existed for a long time---the standard for SHA2 was finalized in 2001, well over a decade ago.