If you update the file to insert the correct checksum, then that will change the checksum for the next run. You would be extremely unlikely to ever be able to guess the checksum and be able to put it in the script.
You could consider:-
- Change the permissions
- Have the script read a file holding the checksum
- Use and IDS as zaxxon suggests
- Regularly checksum your code and compare to the previous run
Of course, all of these can be bypassed by someone with appropriate authority, so it comes down to a question of who is trusted and only granting access to those you can trust. A script that can be read can be copied and adjusted before running the local copy anyway, if the user has the authority to do so, so you should be thinking of denying all access except where you are comfortable granting it.
Making the scripts' permissions as
rwx --- --- and having a
sudo rule to allow specific people to execute it may be the way to go.
I hope that this gives you some ideas to ponder further.
Robin