This is a question best asked of Apple directly; the "why" questions are often not something that non-Apple folks are in a position to answer.
Of what's been posted and discussed about your question, "For updates delivered by Automatic Software Update, SHA-1 digest verification is performed automatically for you." (HT1652)
For details on code signing used on more recent OS X releases, see the Code Signing Guide and review commands such as codesign --verify --deep-verify --verbose /applications/Install\ OS\ X\ Mountain\ Lion.app and codesign --display -vvv --entitlements - /applications/Install\ OS\ X\ Mountain\ Lion.app Based on the output from those and related commands, the code-signing here is using SHA-1, and it traces back to Apple digital certificates.
AFAIK, the installation verifies the signatures, as it wouldn't be much value otherwise.
Alternatively (and likely better), please call the Apple support center folks directly, as your requirements are clearly quite specialized, and it would appear your distribution path requirements may be equally specialized.
FWIW, few folks are using MD5 anymore for anything more serious than detecting file transfer corruptions.