There are no known attacks which make SHA1 insecure in this context. Also according to this announcement, they will be signing the builds, which is vastly superior to any unverified checksum.
The signature is only as good as the hash it's using. SHA-1 is considered insecure. From Wikipedia:
SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use,[3] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[4][5][6] Microsoft,[7] Google[8] and Mozilla[9][10][11] have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
