I would like to detect whether my macOS app executable file has been altered by someone. I wouldn't rely on the Codesign because, as I have seen on the web, many apps have been cracked, even if notarised by Apple. I know this will not guarantee the top security, but I would add this custom protection anyway.
A) If I add a checksum file within the Resources folder in the bundle after the app has been Archived (so within the xcarchive package), it's too late. The app won't launch because of the manipulation. I get a crash with "Termination Reason: Namespace CODESIGNING, Code 0x2".
B) If I add or modify the checksum file after the app has been notarised, the same, it won't launch.
C) If I modify the checksum resource file with a shell script during the build phase, before the "Run Copy Bundle Resources" phase, the checksum is wrong since the executable at that moment has a different file size and file modification date.
So, what's the best way to add my own checksum file to my app bundle? I run macOS 10.15.6 and XCode 11.5 and compile my 64 bits app for macOS 10.3/10.5.
If I understand correctly, you're trying to verify that your application is as you shipped it? And you're worried that codesigning isn't enough, as it might be "cracked"?
I do not believe this can be solved by using any kind of checksum. Anything that can compromise codesigning, can also compromise your checksum.
I would instead look at the new Apple Attestation API. This is designed to allow an application to verify that it is running on Apple hardware, and is the codesigned version. (A modified and signed application would fail this -- it's codesigned by a different key)