Good question. We've debated it. The images are signed, and so that internal hash serves to validate the images are correct. That doesn't mean you can't get a corrupt image, but it does mean the ZD will detect it and refuse to load.
(p.s. stick w SHA1 - the naughty boys -- and no I don't mean the NSA -- have cracked MD5)
I've referred this to our security team to see if they have any further comment.