A private key signs the manifest, which creates a signature.
However, since 62304 does not cover software validation. industry follows the GAMP standard (from ISPE) for validation of software systems.
I'm done with all the software verification activies, how should I handle the software validation? and, Apart from links at the end of this page..if these help you to provide overview... I feel the only thing I really need to do for software validation is to make sure the SRS conforms to the users need, which could be done through traceability analysis.
To sign a document, the holder of the private key first computes a hash of the manifest using SHA256 and then transforms that hash using the private key.
This new number, called the signature, is appended to the document.
If the upgrade process is successful, the options are removed from the configuration.