The verification requires an .issig signature file to be present in the same directory as the source file, created using the Inno Setup Signature Tool. If flag download is set then the .issig signature file will be downloaded instead. See the DownloadISSigSource parameter description for more information..
The precise effect of this flag depends on whether it is combined with the external flag:
When used without the external flag, the compiler will verify the source file while it is being compressed/stored into the resulting installer. If the verification fails, compilation will abort.
-When used with the external flag, Setup will verify the source file during the installation process while it is being copied to the destination directory. Files are always created with temporary names (*.tmp) initially. If the verification fails, the temporary file will be deleted and a "Verification of the source file failed" error message will be displayed to the user (with Skip, Try Again, and Cancel options) and a more detailed error is logged. If the verification succeeds, the temporary file will be renamed to the correct destination name.
-When a file entry with the external flag is skipped (i.e., not installed - for example because the ignoreversion flag wasn't used), the source file isn't copied anywhere, so no verification takes place.
+Since verification occurs while source files are being compressed/copied, and not in a separate pass, each file's contents are only read once. Thus, enabling verification has little performance impact; the only extra I/O comes from reading the tiny .issig files. Only archives and downloaded files are read twice.
The verification process is protected against the Time-Of-Check to Time-Of-Use (TOCTOU) problem.