MD5 is not safe for this use case. Assuming the provider is malicious, this is exactly the scenario where MD5 is broken (i.e. it is possible to make source code that compiles a certain way so that you can make another binary that has the same hash but is different. The bright side is the attack would have evidence as there would be certain patterns in the binary that could be detected if you knew how/where to look. That said, just use sha256)