The XPI signing mechanism needs to use different hash functions.
https://wiki.mozilla.org/Add-ons/Extension_Signing
Signing 2 hashes of a manifest file containing 2 hashes each of every file in an archive, especially when "2 hashes" is MD5 and SHA1 is cryptographically unsound.
See Joux, A., "Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions".