I don’t quite understand the question. The certification needs to build a trust path between something that the user (the service work) knows, namely the IC root key, and the file just loaded. This involves a few steps (root public key → subnet public key → subnet state merkle tree root → subnet state merkle tree entry with certified data from canister → canister merkle tree root → canister merkle tree entry with sha256 of file loaded → file), and one of the steps requires the SHA256 signature of the file. So the canister needs the SHA256. Also see this video for more details:
Is it the case that the default asset canister doesn’t calculate the SHA256 upon upload, but requires the uploader to set it? Then that’s an engineering choice around that canister.