Once someone can generate a collision to a hashing algorith it's time to start retiring it.
If anyone less than a government can do it now you can bet it's already been done by at least one government for purposes of exploit insertion, because the people most likely to be signing stuff already are those they are likely to be interested in.
Call it the "Price of privacy."