sha256sum generates a sum, you still need to store that sum somewhere that isn't controlled by the malware creator or they can just change the sum too.
All major Linux distros for example still have no viable way of creating signed programs or anything like Gatekeeper.
