Mechanism for determining applicability of a software package for installation is described herein. In one embodiment, a process is provided to retrieve authentication information of a component from an installation descriptor file, where the descriptor file describes installation information of the software package. The software package may include one or more components and each component having zero or more sub-components. For at least one sub-component of at least one existing component that has already been installed, an image of the sub-component is authenticated using an authentication key extracted from the authentication information to determine whether the component can be installed based on the existing component. Other methods and apparatuses are also described.