Checksum.sh could keep track of checksums. Then an attacker has to alter the original script and checksum.sh.