[nathan_f77]

They have moved away from SHA-1, and are now using SHA-256. Previous releases were signed with SHA-1, and before that it was MD5: https://handbrake.fr/checksums.php

I'm not sure why they haven't retroactively calculated checksums for older versions.

But you're right that SHA-1 needs to stop being used: https://sites.google.com/site/itstheshappening/

These researchers have found the first "freestart" collision, and they estimate the SHA-1 collision cost to take a few months, costing between 75K$ and 120K$.

Practically speaking, I don't think anyone could make a profit by forging a Handbrake release, but the FBI probably do have some very high-profile targets who use video encoding software.