Indeed, files which are submitted to Perforce have cryptographic digests which are computed during the submit operation.
These file digests are subsequently checked each time the files are synced to any client workstations, and can also be re-verified directly on the server by using the 'p4 verify' command to determine if the file content has been attacked directly on the server.
You can also observe these digests by running various commands; for example you can run 'p4 fstat -Ol //depot/src/file.c' and look at the 'digest' field.
By the way, what are "PA-DSS requirements"? That's a new acronym to me.
Here's a certain amount of information about the file digests that the Perforce server maintains:
- http://www.perforce.com/perforce/doc.current/manuals/cmdref/p4_verify.html
- http://kb.perforce.com/AdminTasks/BackupAndRecovery/BadErrorsFromP4Verify
- http://www.perforce.com/perforce/doc.current/manuals/cmdref/p4_fstat.html
If the issue involves maintaining a record of the code review process, to establish that the code changes that were reviewed are the ones that were actually submitted, you might develop a workflow that is based on the Perforce "shelve" command.
The most important aspect of the "shelve" command that helps with these sorts of workflows is actually in the "submit" command: "p4 submit -e " directly submits a shelf on their server, without re-transferring the files from the user's workstation.
Therefore, if your process only allows 'submit -e' for submits to certain protected areas of your repository, and only allows submits of shelves that have been reviewed (these would be things you would enforce with your change-submit trigger), then you have confidence that the code that was reviewed is the code that was submitted.