Amateur cryptographers...sigh...
First of all, MD5 is insecure. Don't use it. Just don't. For new applications, I recommend sha256 or SHA-3.
Second, the hash does no good unless you also digitally sign the hash.
Third, a signature does no good unless people can verify the key used to produce the signature belongs to a known trusted signer.
I believe the client has a command to sign a hash with the private key associated with a TITAN account. I recommend using this to sign the sha256 and sha3 of each released executable. And also the commit hash of each git tag.
I believe there is a way to actually include the signature with the tag so it can be automatically verified by git, but I think it uses GPG PKI. Getting our own TITAN PKI to integrate with Git in a similar way would be a good bounty idea if there are any Git experts lurking in this forum.