If it has told only 1 answer is true, I would have chosen D, if there are two, I would have chosen C. I chose D before C because if you are buying the code from the vendor, the vendor should be considered as somehow "trusted", and should not deliberately give you malicious code. Digital signature is being signed by the vendor's private key, there might be a chance the key has been compromised and others might impersonate the vendor.
BTW, which mock
test is this?