What to use to check for a specific EXE file signature?

Question

I found this MSDN article that explains how to retrieve information for Authenticode signed executables. It retrieves data in the following format:

Signer Certificate:

Serial Number: 00 90 1a 1a 1b 1c 1c 26 3d 4f 56 61 70 8f 94 7f e0
Issuer Name: COMODO Code Signing CA 2
Subject Name: Signer's Name

My goal here is to verify that the EXE file is signed with the specific signing certificate that belongs to the company. For that I can obviously check Subject Name, but I'm curious about the Serial Number:

1. Can Serial Number be used to verify that the EXE file is signed with a specific certificate? My tests showed that it doesn't change if I sign more than one file.

2. Will this serial number stay the same when the certificate is renewed?

Answer 1

Combination of IssuerRDN (set of fields that identify the issuer) and SerialNumber fields uniquely identifies the certificate as per RFC 5280.

The RFC doesn't define, what happens if the certificate is re-issued, but I would assume that the serial number is changed. The reason is that the new certificate would differ from the previous one and as such it must be identified uniquely.

Consequently for your task the better approach would be to

1. validate the certificate chain completely to ensure integrity and authenticity of the certificate
2. check issuer name
3. check subject name
4. check key usage field.

This will ensure that the certificate is valid and authorized for this company, and at the same time this algorithm saves you from the mistake of checking for exactly one certificate (this mistake can lead to trouble if the certificate is revoked for whatever reason and replaced with a new one).