Comment 3 for bug 1897930

this is not meant to be cryptographic authenticity check.

it's meant to be a quick check against media corruption.

for authenticity checks we do publish sha256sum of the .iso, gpg sign the package pool, and gpg sign filesystem.squashfs for when booting over the network.

md5sum is fastest CRC like function. If there is anything faster we would use that. I.e. we might use blake3 instead. But not sha256 it's very slow.