Yes this is possible, however, it's got a requirement. The developer must specifiy the Exact Common name as the Identity in the appxManifest.xml before signing.
SHA-2 using a PFX: signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f signingCert.pfx /p password filepath.appx
SHA-2 using Thumbprint: signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 XXSHA256CERTTHUMBPRINTXX filepath.appx