diff --git a/fdroidserver/publish.py b/fdroidserver/publish.py
index a63e5c43..6561a9b8 100644
--- a/fdroidserver/publish.py
+++ b/fdroidserver/publish.py
@@ -60,12 +60,12 @@ def key_alias(appid):
         # For this particular app, the key alias is overridden...
         keyalias = config['keyaliases'][appid]
         if keyalias.startswith('@'):
-            m = hashlib.md5()
+            m = hashlib.md5()  # nosec just used to generate a keyalias
             m.update(keyalias[1:].encode('utf-8'))
             keyalias = m.hexdigest()[:8]
         return keyalias
     else:
-        m = hashlib.md5()
+        m = hashlib.md5()  # nosec just used to generate a keyalias
         m.update(appid.encode('utf-8'))
         return m.hexdigest()[:8]
 
@@ -197,7 +197,7 @@ def main():
     vercodes = common.read_pkg_args(options.appid, True)
     allaliases = []
     for appid in allapps:
-        m = hashlib.md5()
+        m = hashlib.md5()  # nosec just used to generate a keyalias
         m.update(appid.encode('utf-8'))
         keyalias = m.hexdigest()[:8]
         if keyalias in allaliases:
@@ -307,11 +307,11 @@ def main():
                     # For this particular app, the key alias is overridden...
                     keyalias = config['keyaliases'][appid]
                     if keyalias.startswith('@'):
-                        m = hashlib.md5()
+                        m = hashlib.md5()  # nosec just used to generate a keyalias
                         m.update(keyalias[1:].encode('utf-8'))
                         keyalias = m.hexdigest()[:8]
                 else:
-                    m = hashlib.md5()
+                    m = hashlib.md5()  # nosec just used to generate a keyalias
                     m.update(appid.encode('utf-8'))
                     keyalias = m.hexdigest()[:8]
                 logging.info("Key alias: " + keyalias)
diff --git a/fdroidserver/server.py b/fdroidserver/server.py
index 0d6ffb32..5f1720b1 100644
--- a/fdroidserver/server.py
+++ b/fdroidserver/server.py
@@ -192,7 +192,7 @@ def update_awsbucket_libcloud(repo_section):
                     upload = True
                 else:
                     # if the sizes match, then compare by MD5
-                    md5 = hashlib.md5()
+                    md5 = hashlib.md5()  # nosec AWS uses MD5
                     with open(file_to_upload, 'rb') as f:
                         while True:
                             data = f.read(8192)
diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index bce32b21..846f7193 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -434,7 +434,7 @@ def getsig(apkpath):
 
     cert_encoded = common.get_certificate(cert)
 
-    return hashlib.md5(hexlify(cert_encoded)).hexdigest()
+    return hashlib.md5(hexlify(cert_encoded)).hexdigest()  # nosec just used as ID for signing key
 
 
 def get_cache_file():