[arturventura]

Because it would be very hard to find a collision of a file that behaves exactly like a ZipFile.

To make a collision work, you would need to inject the payload into the program, and find a specific blob to put into the zip file, that once compressed and hashed would cause a collision. This isn't computationally efficient.

[epimenov]

That's not true. What people do is take a zip file and then append files to the end till you get desired md5. It would behave like a zip file.

See http://www.mscs.dal.ca/~selinger/md5collision/

[tlrobinson]

This is the type of assumption that can get you in trouble. Zip files can contain uncompressed files.

[xwintermutex]

One can prepend any data to a zip file and it will still be valid.

[hrjet]

I am not familiar with zip file format, but if zip files allow comments or other meta-data (in uncompressed form) then it is an easier path. I suspect even file-names could be an opportunity.

[fluidcruft]

Zip even allows individual file members to be not-compressed. So it's extremely trivial.