A validation record chain that is generated for a particular version of a software package may be used to verify the legitimacy of the particular version. A hash that is generated by a software building platform for a particular version of a software package is received. A validation record chain for the particular version is then generated that includes a plurality of certificates such that a first certificate in the validation record chain contains the hash, and each of one or more subsequent certificates is signed with a corresponding hash signature of a corresponding certifier application and contains a prior hash signature of a previous certificate in the validation record chain. The validation record chain is stored for validation of the particular version of the software package via the plurality of certificates.