To confirm the validity of a manifest, a signature is included in every manifest.
User Agents <strong class="rfc">must</strong> validate the signature of a manifest whenever the publication is opened.
Signature for the audiobook manifest is very similar to Readium LCP and reuses terms defined in the Readium Web Publication Manifest for individual resources in the reading order.
Signature information is contained in `http://www.feedbooks.com/audiobooks/signature` object in `metadata`:
| Key | Semantics | Type | Required? |
| ----- | --------- | -------- | --------- |
| `algorithm` | Identifies the algorithm used to sign the manifest. | URI | Yes |
| `issuer` | Identifies the issuer of the signature. | URI | Yes |
| `value` | Contains the signature. | Base-64 encoded octet sequence | Yes |
To calculate the validity of this signature, the User Agent <strong class="rfc">must</strong>:
- ensure that the `issuer` is present in a list of well-known issuers and that its associated certificate is still valid
- use the JSON from the manifest, but remove the `http://www.feedbooks.com/audiobooks/signature` section from it
- follow the [guidelines from the Readium LCP specification regarding JSON canonicalization](https://readium.org/lcp-specs/lcp.html#53-canonical-form-of-the-license-document)
- validate the signature according to the `algorithm` specificed in the manifest
*Example 3: Signature Object*
```json
"http://www.feedbooks.com/audiobooks/signature": {
 "algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 "issuer": "https://www.cantookaudio.com",
 "value": "eKLux/4TtJc6VH6RTOi5lBMh9mT1j2y1z50OruWZgy8QjyPMjDV+aVZWUt7OUTinUHQfWNPBB6DxixgTZ07TQsix4uScL2dJZRQTjUKKHv3he7oJdOkcxjWDh51Q6U2KbDfC2MReG/+Qa4meoI5BN0Q8FKIEFMDZJ2KQTSRj13ZETaD0Nwz+8d6IN7csQGFJHvW/bBJthty+eZNzIr+VE0Kf02OS4yX+wvsExfRabvHlfimT1uUTWc89CgPAuM+Y7vdtjb+B3YFr7ibXATk6lQJkXzKol9ms6vkNwnvxzXwsQ+p1ZjejH1LOYADvedl/ItPrBGkhmq7bbUz91jUd+w=="
}
```