Adobe adds the checksum merely to be able to find out later whether a particular XFA packet has been changed.
It is not a security feature – it is only a “did-anything-inside-this-packet change?” flag – and therefore it is not described in the public XFA specification.

1. Which algorithm is used?
   • It is SHA-1.
   The 20-byte digest is written as 40 lower-case hexadecimal digits.

2. What is hashed?

   • Exactly the byte sequence that is located between the start tag and the end tag of the packet that owns the attribute.
   The packet’s own start tag (and thus the checksum attribute itself) is explicitly left out so that the checksum can be inserted without affecting the result.

   • The bytes are taken verbatim as they exist in the PDF stream that contains the packet: same white-space, same line breaks, no XML canonicalisation, no attribute re-ordering, always interpreted as UTF-8.

   • Put differently:

       <!-- packet stream as written by Acrobat -->
       <form xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
           … lots of XML …                     <!--<-- start of data -->
       </form>                                <!--<-- end of data -->
   

   What goes into the hash is everything from the first byte after the ‘>’ that terminates the opening <form …> tag up to (but not including) the ‘<’ that starts the closing </form> tag.

   • When more than one packet is stored in the same PDF stream (template, datasets, localeSet, …) each packet is handled independently; every packet can have its own checksum attribute and is hashed in the same way.

   Pseudo code

   xmlStream   = read_stream_from_pdf(objectNumber)
   start       = xmlStream.indexOf('>') + 1          // after opening tag
   end         = xmlStream.lastIndexOf('</')         // before closing tag
   payload     = xmlStream.substring(start, end)
   checksumHex = SHA1(payload).toHexString()         // 40 lower-case chars
   
   // write it back
   <form checksum="checksumHex" …> payload </form>
   

If you follow exactly this recipe (extract the bytes between the tags, compute a SHA-1 digest of those bytes, write the 40-character hex string to the checksum attribute) Acrobat/Reader will accept the packet as “unchanged”.