@marcan That's true but misses something important about security measures. They are about making it harder for somebody to do something bad, not to necessarily prevent it entirely. Having to change a SHA hash in a coordinated way is tricky for an attacker and significantly increases the difficulty.
Also, publish the SHA hash etc makes it much easier for people to compare notes and especially makes figuring out what happened easier in the context of incident response.