SigDiff - Authenticode Signer Chain#
Two files can have different hashes but the same legitimate signer (a normal new release), or the same role but a different signer (a red flag). SigDiff records the Authenticode code-signing identity of every Windows binary HashWatch tracks, so you can see who signed it - not just what its hash is.
It is also the foundation for RevokeRadar: the signer chain SigDiff extracts is exactly what RevokeRadar checks for revocation.
What it captures#
When HashWatch ingests a PE/EXE binary, it parses the embedded Authenticode signature (using the Go standard library - no external tooling) and records the signing certificate on the hash record:
| Field | Meaning |
|---|---|
sig_signer | Subject of the signing certificate - the publisher identity (e.g. “Google LLC”) |
sig_issuer | The CA that issued the signing certificate (e.g. “DigiCert Trusted G4 Code Signing RSA4096”) |
sig_serial | Serial number of the signing certificate |
sig_thumbprint | SHA-1 thumbprint - the stable identifier to pivot on across your estate |
All four are nullable: they are blank for unsigned binaries, non-PE formats (.dmg, .deb, .apk, manifest-only vendors), or files where no Authenticode signature is present.
Where it appears#
Public dashboard (free, no API key)#
Each tracked binary shows a Signer column (the Authenticode subject); hover for the issuer, serial, and thumbprint.
API#
The sig_* fields are returned on every hash record in the /public/hash-of-day response and on authenticated lookups:
{
"executable_name": "chrome-win64.msi",
"vendor": "Google LLC",
"version": "124.0.6367.82",
"hash_sha256": "…",
"sig_signer": "Google LLC",
"sig_issuer": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"sig_serial": "0a1b2c…",
"sig_thumbprint": "d4e5f6…",
"cert_revoked_at": null
}How to use it#
- Spot a changed signer. If a file claims to be a known tool but its
sig_signer/sig_thumbprintdiffers from the publisher HashWatch records for that software, it may have been re-signed by a different (possibly attacker-controlled) certificate. - Pivot across endpoints. Use
sig_thumbprintin your EDR/SIEM to find every binary signed by a given certificate - the unit RevokeRadar revokes against. - Confirm provenance. A matching hash tells you the bytes are genuine; a matching signer tells you it was published by the expected identity. Together they are stronger than either alone.
SigDiff describes the signing identity; RevokeRadar tells you whether that identity’s certificate has since been revoked. Read them together.