I sign my VBA project inside of my excel workbook with this tutorial because doing it the usual way in the "VBA IDE" inside of Excel it fails: https://support.microsoft.com/en-us/topic/upgrade-signed-office-vba-macro-projects-to-v3-signature-kb5000676-2b8b3cae-ad64-4b4b-aa85-c4a98ca6da87
The command I run to sign my project is offsign.bat "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\" "sign /tr http://time.certum.pl /a /fd SHA256" "verify /pa" "C:\Users\MYUSER\Desktop\FILE.xlsm". I sign it with my CodeSign certificate which I bought from Certum.
After signing and verifying by Microsoft's own batch script, I want to see what the end user would get and open my workbook. What Excel reports back is the issue that the signature is valid, but not trusted even if it is a code signing certificate and the CA is present and trusted. To check back if the issue is the KPI or Windows, I coded a small Windows Forms application and signed it which works flawlessly.
If I try to pull more details, I get as mention the issue with the not trusted certificate issuer (in German, bold text above file path).
Opening the dialog to get signature details, I get these bits of information.
What did I miss or what do I have to do so Excel trusts my signature?
Excel does not (unfortunately) automatically trust code-signed files. You have to add the publisher to the list of trusted publishers.
Related
I have just moved machine from Windows 8.1/office 2010 to Win 10/Office 2019. I have an Excel spreadsheet with a lot of VBA code. Excel 2019 wont accept the old certificate so I am having to re-certificate the sheet.
In the Trust Centre
The options are set to "Disable all macros except digitally signed macros"
As far as I am able the trust centre settings in the two offices are set the same.
I have created a new certificate on the Windows 10 machine. (MyCert)
I have tried installing it as per microsoft's guide. (https://support.microsoft.com/en-us/office/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01)
But the protected view and the Enable editing messages persist.
I have tried removing the certificate saving the file; then adding the certificate and saving it again - without effect.
The certificate shows as having been added and appears in the dialog box. Both under Signed as and sign as parts of the dialog box.
The certificate is not in the trusted store but I could not see how to use mmc (certificate addin) to add it.
I realise that I am making a simple mistake but I cant see how to get Excel to recognise the certificate and I wonder if anyone can help?
I would like to know how I can achieve the following:
Have Excel open without the request to "Enable Macros" for an Excel sheet that is distributed as a template and filled in by many, to then come back to a script of mine that wants to read the contents of the Excel sheet (Macros are only there for the users).
Any actions that require me to perform a change to my own installation of Excel (such as adding the file to the trusted docs), won't work, since the computer that runs the script, can be any of a 1000 computers that contains the automated script.
Signing the Excel sheet (something I read here, could solve the issue), is fine, but I would like to know how to go about his, when operating from within an enterprise, governed with a lot of security regulations.
I don't have access to alter the trust center settings, nor can I click the "enable macro's" button every time...
All help is welcome.
The simplest solution is to store the template in a "Trusted Location" - that is a folder on your network where macros are allowed. You can either set the template's current location as trusted, or move the template into an existing trusted location. Your IT dept should be able to set up such a location if they don't already have one enabled in people's profiles. You'll have to talk to your IT dept because it's unlikely your users can alter this setting themselves.
Fortunately noone can do this. If it was allowed to automatically prevent the "Enable Macros" security warning pop-up, this would have been a huge security issue:
However, you may contact the people using the template and ask them to enable all macros from the Trust Centre:
This is how to navigate to the Trust Centre in Excel:
Microsoft Office Button
Excel Options
Trust Center
Trust Center Settings
Macro Settings
Enable or disable macros in Office files
Vityata's solution only works if your enterprise security policy allows trusting network drives. It doesn't work in our environment as our security policy disables trusting network drives.
I handled the issue on a much smaller scale by self-signing the macros and installing my cert on the client's computers. I only have a few clients that use the scripts I write so it's not a big deal for me.
However, to do this at scale would require your IT dept to distribute your cert via their Windows update mechanism. You have to have admin access to your machine and a second as a test platform for this to work.
The steps you would take would be:
Create your self-signed cert.
Sign the macro.
Test it works on another machine by installing your cert on the other machine and running the macro.
Send the cert to your IT dept for them to distribute.
Send the spreadsheet to your clients.
I'm working on an alternative approach of setting our department up as a certificate authority and issuing properly signed certs internally for our own use. We have a plethora of devices that don't have fully qualified domain names assigned to them because the network group doesn't want to deal with the overhead of maintaining thousands of certs. As you might imagine, it's a project to get all the pieces in play so that one person can handle it.
I created 2 self signed certificates:
A root certificate: MyRootCA self-signed
A code signing certificate: MyCodeSign signed by MyRootCA
Now I add MyRootCA to the Trusted Publishers in Excel's Trust Center and sign my VBA code with MyCodeSign (which is not added to the Trust Center).
Now I believe, that because I trusted the MyRootCA which signed MyCodeSign, that Excel should trust also all MyCodeSign-signed code (chain of trust). But it doesn't. Only if I add the MyCodeSign to the Trust Center my code is trusted.
Does anyone have an idea where I'm thinking wrong? Or does Excel just not trust child-signed code if its parent certificate is trusted?
So below you see A is MyRootCA and B is MyCodeSign issued by A:
Now I think that when I trust A in the Trust Center, that all code signed with B should be trusted too. But Excel still asks for trusting/enable macros.
So perhaps someone can confirm that issue (so I know it's not my fault) or disprove it?
I'm working on the latest version of Office 2016 x64 Edition. If that matters.
(Sorry for the German screenshots)
So obviously Excel is driving me nuts and changed the option from
disable all macros except digitally signed macros
back to default (Probably that happened during an update or something.):
disable all macros with notification
With this option even digitally signed VBA code gets a security warning, and it asks you to activate macros.
And of course for "disable all macros except digitally signed macros" the chain of trust is valid then and I don't need to trust every single certificate. Trusting the root CA is enough as I expected.
Pro side: Excel enables macros and doesn't ask anymore on digitally signed macros.
Con side: Excel disables macros and doesn't ask anymore on un-signed macros.
Nevertheless I miss a mix of both options like:
"disable all macros with notification except digitally signed macros"
Which would perfectly meet my wishes.
Looks like you have to trust the publisher even if you have a valid certificate:
https://www.groovypost.com/howto/howto/office-2010-outlook-self-signed-digital-certificate/
Take a look at these three tabs:
Trusted CA | Trusted Publishers | Untrusted Publishers
I wrote an Excel add-in for a client that does some custom things for 5 users. I wrote it with VS2012 and the interop assemblies for Excel 2010. I published the add-in with the MS one-click publisher, zipped up the contents, and sent it to these 5 users. They are (seemingly) only able to install the add-in at random. Some users have been successful, while others get an error message. Some more info:
The users that are not successfully installing are never being
prompted to trust the install. It takes them right to to the error
message.
I signed the code with just a local dev cert. I didn't use a
verisign certificate or anything like that. I didn't figure that it would do anything, because their local file system is never allowing it to get to the prompt.
First I made a batch file to configure the registry for inclusion
list security. This did nothing.
I haven't been able to replicate the error on any other PC, whether
it's on my local network or not.
My guess is that they've got something in their security policy that prohibits access to these one-click installer files. Any ideas which one?
Here is the error message:
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for ThisAddin or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn() The Zone of the assembly that failed was:MyComputer
We faced similar problem when an Add-In was developed and signed by certificate issues by a Domain A, and any user from the domain was able to install it. The add-in was published on a web site: http://host.org/apps/addin/setup.exe
Later people from Domain B also decided to use the Add-In, but the only thing they saw was the message about Trusted locations and Contact your admin.
Solution was trivial: open Internet Explorer, add http://host.org into trusted sites.
I was in a pinch for time, so I exported the developer certificate and had them install it on their machines.
Is there any way to programmatically remove the digital signature from the VBA macros of an Excel sheet?
i.e. code that is equivalent to entering the VBA editor, going to Tools menu -> Digital Signature and clicking Remove.
Interesting question.
It's deliberately not part of the Excel object model for security reasons.
It is possible to remove the certificate from the certificate store. This requires Win32 api calls (which can be made from VB6 or VBA but I'm not sure of the exact effect on your project once you do this...
It will definately invalidate the certificate, but I don't know if it will remove it.
Also you may not wish to remove the certificate from the store (since you could be using it for something else).
To view the certificate store, type, certmgr.msc at the Run prompt.
anyway a link on how to remove a certificate programmatically.
KB article showing how to remove a trusted root certificate from the store.
Requirements:
1. You'll need to download the Windows SDK for the appropriate platform to get the capicom dll's, + regsvr32 them
2. You'll need to extract the public key from the certifcate you want to remove.
3. Test with a uninmportant workbook first, I have no idea whether this method will (apart from invalidating the certificate) also cause corruption in the workbook. Hopefully someone has a better suggestion than this.