Please sign your packaged releases or at least use a cryptographic hash that isn't broken

[psivesely]

MD5 is bad news.

[devgeeks]

The Windows, Android and OS X packages are in fact signed. The Linux ones are not currently, but probably will be in the very near future.

The MD5 hashes you are referring to are just checksums to ensure the file you are downloading is the one you mean to. Even with MD5, creating a collision file would still take an enormous amount of computing effort.