Signing a Database Application

I have several database applications developed in Access 2000. Some of my
users have upgraded to Access 2003, and they get a warning every time they
open the application: "This file may not be safe if it contains code that
was intended to harm your computer."

I understand that there are two ways to avoid this message. One is to set
the security level on Access to low. The other is to sign the database with
a digital certificate, and ask the users to trust that certificate. I would
like to pursue the latter option.

My question is: How do I create a certificate and how do I sign the database
with it? I assume I will need some tool which is not included with Office
2000. What do I need?


-Todd Matson

re: Signing a Database Application

Todd Matson wrote:[color=blue]
> I have several database applications developed in Access 2000. Some
> of my users have upgraded to Access 2003, and they get a warning
> every time they open the application: "This file may not be safe if
> it contains code that was intended to harm your computer."[/color]
[color=blue]
> My question is: How do I create a certificate and how do I sign the
> database with it? I assume I will need some tool which is not
> included with Office 2000. What do I need?[/color]

A shitload of money. And then you contact a certificate issuing company.
They will investigate your application, and give you a price estimate for
the certificate. And you need a separate certificate for each of your
applications.

In short: Don't go there girlfriend.

/jim

re: Signing a Database Application

On Thu, 21 Apr 2005 13:33:00 +0200, "Jim Andersen"
<jimVÆÆK@officeconsult.dk> wrote:

That is not my experience. Review articles such as
http://msdn.microsoft.com/library/de...tml/sa04d1.asp
to get the skinny on digital signing.
A certificate authority (CA) will indeed have to investigate your
application (not your software application; but the paperwork you
submit to them) to ensure you are who you say you are. They are in the
trust business, so this is understandable.
After that, the certificate is a commodity: give them US$200/year and
it is yours. This certificate can be used to sign ALL your
applications.

In short: You go, girl!

-Tom.

[color=blue]
>Todd Matson wrote:[color=green]
>> I have several database applications developed in Access 2000. Some
>> of my users have upgraded to Access 2003, and they get a warning
>> every time they open the application: "This file may not be safe if
>> it contains code that was intended to harm your computer."[/color]
>[color=green]
>> My question is: How do I create a certificate and how do I sign the
>> database with it? I assume I will need some tool which is not
>> included with Office 2000. What do I need?[/color]
>
>A shitload of money. And then you contact a certificate issuing company.
>They will investigate your application, and give you a price estimate for
>the certificate. And you need a separate certificate for each of your
>applications.
>
>In short: Don't go there girlfriend.
>
>/jim
>[/color]

re: Signing a Database Application

You can also use an untrusted signature. There is a program you can download
from Microsoft called something like selfsign.exe that will let you generate a
random signature. With this technique, users will have to approve the
signature once for the first app/version you send them, and from then on, they
won't get a security warning when they open your applications.

On Thu, 21 Apr 2005 07:28:50 -0700, Tom van Stiphout <no.spam.tom7744@cox.net>
wrote:
[color=blue]
>On Thu, 21 Apr 2005 13:33:00 +0200, "Jim Andersen"
><jimVÆÆK@officeconsult.dk> wrote:
>
>That is not my experience. Review articles such as
>http://msdn.microsoft.com/library/de...tml/sa04d1.asp
>to get the skinny on digital signing.
>A certificate authority (CA) will indeed have to investigate your
>application (not your software application; but the paperwork you
>submit to them) to ensure you are who you say you are. They are in the
>trust business, so this is understandable.
>After that, the certificate is a commodity: give them US$200/year and
>it is yours. This certificate can be used to sign ALL your
>applications.
>
>In short: You go, girl!
>
>-Tom.
>
>[color=green]
>>Todd Matson wrote:[color=darkred]
>>> I have several database applications developed in Access 2000. Some
>>> of my users have upgraded to Access 2003, and they get a warning
>>> every time they open the application: "This file may not be safe if
>>> it contains code that was intended to harm your computer."[/color]
>>[color=darkred]
>>> My question is: How do I create a certificate and how do I sign the
>>> database with it? I assume I will need some tool which is not
>>> included with Office 2000. What do I need?[/color]
>>
>>A shitload of money. And then you contact a certificate issuing company.
>>They will investigate your application, and give you a price estimate for
>>the certificate. And you need a separate certificate for each of your
>>applications.
>>
>>In short: Don't go there girlfriend.
>>
>>/jim
>>[/color][/color]

re: Signing a Database Application

I apologize for being unclear, but an untrusted signature is what I was
asking about.

Thank you for pointing me to selfsign.exe. I ran it and generated a
certificate, but it still leaves me with a lot of questions. I had
understood that certificates have lifetimes, yet that utility gave me no
control over the lifetime of the certificate. Why is that? Also, now that
the certificate is created, how is it represented on my computer? Is there a
file somewhere? How can I manage it?

Also, I still do not know how to sign my database with the certificate. I
believe that Access 2003 has a menu command for that purpose (Tools /
Digital Signature), but I am using Access 2000. I have no desire to buy
Access 2003 just to sign a few databases -- is there some other utility I
can obtain which will do the trick?

Finally, can anyone tell me what a certificate is, exactly? According to the
Microsoft page referenced by Tom, a certificate is a private key / public
key pair. I asked Verisign the same question, and they claim that a
certificate is a public key signed by a certification authority's private
key. Which is it?


-Todd Matson


"Steve Jorgensen" <nospam@nospam.nospam> wrote in message
news:hgff619o3dinoeifgd63gild3gektgqj5m@4ax.com...[color=blue]
> You can also use an untrusted signature. There is a program you can[/color]
download[color=blue]
> from Microsoft called something like selfsign.exe that will let you[/color]
generate a[color=blue]
> random signature. With this technique, users will have to approve the
> signature once for the first app/version you send them, and from then on,[/color]
they[color=blue]
> won't get a security warning when they open your applications.
>
> On Thu, 21 Apr 2005 07:28:50 -0700, Tom van Stiphout[/color]
<no.spam.tom7744@cox.net>[color=blue]
> wrote:
>[color=green]
> >On Thu, 21 Apr 2005 13:33:00 +0200, "Jim Andersen"
> ><jimVÆÆK@officeconsult.dk> wrote:
> >
> >That is not my experience. Review articles such as[/color]
>
>http://msdn.microsoft.com/library/de...-us/dnsmart04/[/color]
html/sa04d1.asp[color=blue][color=green]
> >to get the skinny on digital signing.
> >A certificate authority (CA) will indeed have to investigate your
> >application (not your software application; but the paperwork you
> >submit to them) to ensure you are who you say you are. They are in the
> >trust business, so this is understandable.
> >After that, the certificate is a commodity: give them US$200/year and
> >it is yours. This certificate can be used to sign ALL your
> >applications.
> >
> >In short: You go, girl!
> >
> >-Tom.[/color][/color]

re: Signing a Database Application

Todd,

On my install of Office 2003, there is an item in the Start-Programs-MS
Office-MS Office Tools called 'Digital Certificate for VBA Projects'.
This will allow you to create a self-signed certificate. This needs to
be created on the PC that will run the app. If you use the Access 2003
Help and search for the word Certificate, the first item is on how to
create your own certificate. There is another topic called 'Add a
digital signature to macro project' that explains how to use it.

It really is only to protect from malicious code in Macros not VBA.

This is a bit of a hack but MS has forced us into it.

--
Bri

Todd Matson wrote:[color=blue]
> I have several database applications developed in Access 2000. Some of my
> users have upgraded to Access 2003, and they get a warning every time they
> open the application: "This file may not be safe if it contains code that
> was intended to harm your computer."
>
> I understand that there are two ways to avoid this message. One is to set
> the security level on Access to low. The other is to sign the database with
> a digital certificate, and ask the users to trust that certificate. I would
> like to pursue the latter option.
>
> My question is: How do I create a certificate and how do I sign the database
> with it? I assume I will need some tool which is not included with Office
> 2000. What do I need?
>
>
> -Todd Matson
>
>[/color]

re: Signing a Database Application

Steve Jorgensen wrote:[color=blue]
> You can also use an untrusted signature. There is a program you can download
> from Microsoft called something like selfsign.exe that will let you generate a
> random signature. With this technique, users will have to approve the
> signature once for the first app/version you send them, and from then on, they
> won't get a security warning when they open your applications.[/color]

My understanding is a selfsign.exe generated cert only works on the PC
that the cert was generated - so that wouldn't work for a distributed app.

One possible work around is to run a VB program that you write to open
Access via automation. You could then set the security level to low via
Automation code and then execute your app. The user won't see the
warning then and since you wrote the VB app it only works for your app.

However, it would still be your responsibility to make the client
understand what you are doing since you are messing with THEIR security
settings.

If you are really serious about distributing your app then get the
certificate.
--
'---------------
'John Mishefske
'---------------

re: Signing a Database Application

On Thu, 21 Apr 2005 22:24:18 -0500, John Mishefske
<mishejNEGATIVE@JUNKtds.net> wrote:
[color=blue]
>Steve Jorgensen wrote:[color=green]
>> You can also use an untrusted signature. There is a program you can download
>> from Microsoft called something like selfsign.exe that will let you generate a
>> random signature. With this technique, users will have to approve the
>> signature once for the first app/version you send them, and from then on, they
>> won't get a security warning when they open your applications.[/color]
>
>My understanding is a selfsign.exe generated cert only works on the PC
>that the cert was generated - so that wouldn't work for a distributed app.
>
>One possible work around is to run a VB program that you write to open
>Access via automation. You could then set the security level to low via
>Automation code and then execute your app. The user won't see the
>warning then and since you wrote the VB app it only works for your app.
>
>However, it would still be your responsibility to make the client
>understand what you are doing since you are messing with THEIR security
>settings.
>
>If you are really serious about distributing your app then get the
>certificate.[/color]

I thought I had read that the user could accept the signature once, and their
computer would continue to recognize it. I'll have to check that when I get a
chance.

re: Signing a Database Application

John,

I don't see why a certification would work on only the PC where it was
generated. Are there different classes of certifications, some which
are portable and some which are not?

I must say, I like your idea of lowering the security setting with a VB
program before launching the application. I already use a VB program to
launch the app, so this could be a simple change. I'll let you know how
it goes.


-TC

re: Signing a Database Application

On 22 Apr 2005 08:15:43 -0700, "TC" <golemdanube@yahoo.com> wrote:
[color=blue]
>John,
>
>I don't see why a certification would work on only the PC where it was
>generated. Are there different classes of certifications, some which
>are portable and some which are not?
>
>I must say, I like your idea of lowering the security setting with a VB
>program before launching the application. I already use a VB program to
>launch the app, so this could be a simple change. I'll let you know how
>it goes.
>
>
>-TC[/color]

By the way, if you use the Sagekey scripts for the Wise installer, it
configures the registry profile so that the Access runtime runs in low
security when running the installed application. There aren't many problems
with Access application deployment that Sagekey doesn't solve.

re: Signing a Database Application

TC wrote:[color=blue]
> John,
>
> I don't see why a certification would work on only the PC where it was
> generated. Are there different classes of certifications, some which
> are portable and some which are not?
>
> I must say, I like your idea of lowering the security setting with a VB
> program before launching the application. I already use a VB program to
> launch the app, so this could be a simple change. I'll let you know how
> it goes.
>
>
> -TC
>[/color]

I'm no expert on certs but if you can generate a cert on your PC so can
mr. hackerScriptKiddie. Who's would be more trusted and based on what?

Verisign and Thawte have a whole business model based on "Trust" (at
least trust that you pay for!).

Here's some good links:

http://msdn.microsoft.com/library/de...tml/sa04d1.asp
http://support.microsoft.com/default...b;en-us;217221

--
'---------------
'John Mishefske
'---------------

re: Signing a Database Application

Can anyone tell me how to sign an Access 2000 application with a
digital certificate? In Word 2000 and Excel 2000, the VB editor has a
menu command Tools / Digital Signature which can be used to sign a
project, but that command doesn't exist in Access.

-TC