A computer system (e.g., a personal computer (PC)) is loaded with multiple versions of the bootable program (e.g., an operating system (OS)). The boot record for each bootable program version is hashed to produce a digest and the digest is signed using the cryptographic signature engine using the program's private installation key. The resulting signature, along with data indicating the program's name and version, is stored in fields of the non-volatile memory. When the system boots with a version of the program, the active entry is decrypted and the resulting data is compared. If a new version is being booted, then it is determined if the new version is the alternative entry. If so, the active entry is discarded and the alternative version is moved to be the active entry and the system boots with the new version of the program.