>I'm not too worried about it either. The only reason anyone is clicking on this fine link is because firefox only lets you install addons signed by Mozilla.
unzip *.xpi
nano META-INF/manifest.mf
gives me
Manifest-Version: 1.0
Name: background.js Digest-Algorithms: MD5 SHA1 MD5-Digest: pcBRGwbuhPz06VrGWmAitQ== SHA1-Digest: szDd6YcB3bpF+NusZhEHhmMDi5U=
Name: content.js Digest-Algorithms: MD5 SHA1 MD5-Digest: CGOATrflEiq+QEu1IZlFvQ== SHA1-Digest: ps2bMGGRQdb4E7VOakqQEhJ8M5c=
Name: content.js.map Digest-Algorithms: MD5 SHA1 MD5-Digest: FY98a5hwQKH3g1fKcGK04A== SHA1-Digest: bAzZBP+YQ3EDWUXpqzKcTUw35Y0=
Name: manifest.json Digest-Algorithms: MD5 SHA1 MD5-Digest: eEm4sDKemttFN7G7JeLo0g== SHA1-Digest: 5W8OY1mk3QjECHzHna00iNXo9mM=
Name: experiments/skeleton/api.js Digest-Algorithms: MD5 SHA1 MD5-Digest: 0RBtD2TRmeE30v9+4TxXYA== SHA1-Digest: 2Uq9PO2H1iks/Cb7VAkfGrrD6hA=
Name: experiments/skeleton/schema.json Digest-Algorithms: MD5 SHA1 MD5-Digest: nSzuviuP+VtUvjE4IyIVhQ== SHA1-Digest: W311W+MXcHSsHIVFP15zxGUmQS8=
===
The hashes that certify the integrity of the files are under rigorous protection of ... MD5 and SHA1 (!)
What's your point?
There might be a very difficult preimage attack on MD5.
There's no evidence of a preimage attack on SHA1.
There is absolutely no way you're doing both at once.