Sign records in a database

I have a table in my database where I store records to be processed later (basically orders that need to be invoiced or something similar, but this is not the important part).

Since this software runs on-premises, pro-users controls the database and they’re able to insert records directly into it. They usually do this to make my system process records in an unsupported way. Obviously, this leads me to problems that I often need to deal: inconsistency, invalid domain, missing fields, etc.

To avoid this problem, I’d like to know what are my options to "sign records", that is, identify the records generated by my system in a way that others can not reproduce.

Several approaches came to my mind when I think in this problem:

  • Create some undocumented record hash (that can be reverse engineered);
  • Use a digital certificate to sign records (where to store the digital certificate? the system runs offline on-premises);
  • Use some kind of blockchain approach: linking a record with the previous + some proof of work (maybe too hard to implement and error prone).

Are there other approaches I am not considering? If not, between the ones I listed, is there an approach I should stick/avoid?