And to do that, as a package maintainer, you sometimes have to trace upstream’s build system because you need to intercept the file after the build system has patched it, but before they’re actually using it to run the tests. And then you try to inject the codesign command line into the upstream build system, and hope it’s going to work this time.
And often enough, it just doesn’t work at all ([1] ballpark number of issues, [2] one example case where I can confirm that I was affected myself).
Use codesign -s - path to binary to recompute the checksum.