It’s not a secret, or an encryption technique that needs to be hidden. It’s just there to help verify you completely downloaded the correct file. It can’t be spoofed, because the checksum isn’t assigned. It is generated using the file itself. So, even if someone somehow did manage to replace the file you really wanted, it can’t generate the same checksum (I mean, *technically* it could be done, but it would be way too damned much work and pretty obvious)