MD5 is not vulnerable to second preimage attack, so signing a repo that doesn’t already have attacker-controlled data specially crafted ahead of time, is perfectly safe.
Collision attack is not “hash is useless you can make up anything”, but a specific condition that breaks only some uses, not all.
You can generate a pair of files that hash to same value that you can’t control. You can’t make a new file that hashes to an existing hash.
Collision attack is not “hash is useless you can make up anything”, but a specific condition that breaks only some uses, not all.
You can generate a pair of files that hash to same value that you can’t control. You can’t make a new file that hashes to an existing hash.