I am working on an application, where I have to verify that 2 files are signed with the same certificate(with our certificate). If not, then abort the program.
I found in this question, what I should do:
- Validate the certificate chain completely to ensure integrity and authenticity of the certificate
- Check issuer name
- Check subject name
- Check key usage field.
So for step 1, I use WinVerifyTrust
, then I read the propertys, and compare them with each other.
So far so good, but what if someone creates a certificate, and signs these two files with them? Then it will still work. I know, that if this certificate is not added as Trusted Publisher, then WinVerifyTrust
will fail. But let's say, it is added as a Trusted Publisher. Then it works. Obviously I can't write the values like "my company name" in the code, and check if a property has this value.
So how do I check if it is really my certificate? If it is really a certificate which is "Trusted", not only made trusted by me or someone else?
Thanks in advance!