473,770 Members | 1,841 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Code Signing

NeoPa
32,573 Recognized Expert Moderator MVP
Introduction:

Macro Security Levels in MS Office applications are recommended to be set to High. This stops any VBA code associated with a project from running, unless it is signed (with a certificate). A trusted signature will allow the code to run normally, whereas an un-trusted one will prompt the user either to trust the issuing CA (Certificate Authority) and enable the code, or simply to disable the code.

This is all very well, but supposing you develop Excel, Word, Access etc projects to be used at your place of work, and you don't want to spend lots of money paying for an expensive certificate from one of the main issuing CAs? You also want your user-base to be protected from potentially malicious code from elsewhere, but to run your official smoothly without continuous prompting.

It's possible to self certify, using selfcert.exe, but when a certificate is created that way, it's private key cannot be exported. The export wizard of the Windows certificate console says "the associated private key is marked as not exportable". This effectively means that it will only work on the PC where the certificate is used. This seems woefully inadequate.

This article explains how that can be achieved without too much hassle. Most of the details from which this was built came from http://www.source-code.biz, so my gratitude to them for that.

Creating the Certificate Files:

To create a certificate file (.PFX) that can be used to sign MS-Office VBA projects (Excel/Word macros) on multiple computers, there are three executable files that are required :
MakeCert.Exe
Cert2Spc.Exe
PVKImprt.Exe

NB. PVKImprt.Exe is the name of the download, AS WELL AS the name of the file INSIDE the download. The one inside is the important one. It's easy to get this wrong, as it is doubly compressed for some reason.

I have also included copies of these executables as an attachment (CodeSigning.Zi p) in case the links die. PVKImprt.Exe in this file is the actual one required and needn't be re-extracted.

Solution:

Parameters:
The following commands can be used to create a PFX file (PKCS #12) that contains the self-signed certificate together with the associated private key, but before we start we need to explain / define some parameters :
%Name% = The name that you want the certificate to show as.
%File% = The filename (without extension) to be used.
%PW% = Determine a password to be used for your certificate.

Certificate Creation:
Expand|Select|Wrap|Line Numbers
  1. MakeCert -r -n "CN=%Name%" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -sv %File%.pvk %File%.cer
  2. ******** You will be asked for a password (%PW%) 3 times.
Expand|Select|Wrap|Line Numbers
  1. Cert2Spc %File%.cer %File%.spc
Expand|Select|Wrap|Line Numbers
  1. PVKImprt -pfx %File%.spc %File%.pvk
  2. ******** Enter password (%PW%) to start the Wizard.
  3. ******** Select to export the private key.
  4. ******** Select to "include all certificates in the certification path" & "to enable strong protection".
  5. ******** Enter password (%PW%) again, twice.
  6. ******** Enter, or browse to, the name of the export file required (path\%File%.pfx).
  7. ******** Finish if / when you have checked the details on the final screen.
The last command (pvkimprt -pfx ...) creates the file %File%.pfx. This PFX file can then be imported into the Windows certificate store and used for code signing.
(MakeCert.Exe and Cert2Spc.Exe are part of several Microsoft SDKs, e.g. the Platform SDK or the DotNet SDKs, which can be downloaded from microsoft.com).

Certificate Installation:
With the .pfx file available, take the following steps to install the ability to sign a project on to a PC :
  1. Open Control Panel.
  2. Select Internet Options.
  3. Select the Content tab.
  4. Click on Certificates.
  5. Click on Import...
  6. Click on Next.
  7. Click on Browse.
  8. Select Files of Type=Personal Information Exchange (.pfx).
  9. Select %File%.pfx.
  10. Click on Next.
  11. Enter %PW% again and select Enable strong private key protection if required.
  12. Select Mark this key as exportable.
  13. Click on Next.
  14. Select Automatically select the certificate store.
  15. Click on Next then Finish.

Sign a Project:
With the certificate now installed you need to sign a project with it.
If you have none available :
  1. Open Excel.
  2. Type something into cell A1 (anything).
  3. Use Alt-F11 to switch to the VBA editor.
  4. From the Project Explorer pane (Ctrl-R) double-click on ThisWorkbook.
  5. In the Code pane paste in the following short piece of code :
    Expand|Select|Wrap|Line Numbers
    1. Option Explicit
    2.  
    3. Private Sub Workbook_Open()
    4.     Call MsgBox("Hello World")
    5. End Sub
  6. Select Tools / Digital Signature / Choose.
  7. Select the certificate.
  8. Click on OK.
  9. Use Alt-F11 to switch back to Excel and save the file (EG. as Test.Xls).

Trusting a Signature:
Anyone wishing to trust this signature (using a version of Access prior to 2007) should :
  1. Open Excel and ensure that the security level is set to High (Tools / Macro / Security / High).
  2. Open a file containing a signed project (EG. Test.Xls).
  3. When the Security Warning window pops up, select Always trust macros from this publisher if it is not greyed out
  4. Click on Enable macros.
  5. If it IS greyed out :
    1. Click on Details... / View Certificate / Install certificate...
    2. Go through and "Finish" the wizard as before.
    3. Close the Security Warning window (X at top ensures file doesn't open).
    4. Re-open the file. Select Always trust macros from this publisher (no longer greyed out)
    5. Click on Enable macros.

Anyone wishing to trust this signature (using Access 2007) should :
  1. Open a database which you know to have been signed by the certificate whose publisher you wish to trust.
  2. A Security Warning message appears near the top of the window with an Options button. Click this.
  3. Select Show Signature Details.
  4. Select View Certificate.
  5. Click on Install Certificate...
  6. Click Next when the wizard shows.
  7. Select the Automatically select the certificate store based on the type of certificate radio button.
  8. Click Next.
  9. Click Finish.
  10. To the question Do you want to install this certificate, respond Yes.
  11. Click on OK.
  12. Click on OK.
  13. Click on OK.
  14. Select "Trust all documents from this publisher"
  15. Click on OK.
Attached Files
File Type: zip CodeSigning.Zip (27.8 KB, 718 views)
Feb 15 '09 #1
4 14400
JustJim
407 Recognized Expert Contributor
Thank you NeoPa for this concise run-through. As a freelance I've been looking for a solution like this for a while. It will make my and my clients' lives simpler and that is always a good thing.

Jim
Apr 15 '09 #2
NeoPa
32,573 Recognized Expert Moderator MVP
I'm glad to help Jim (and you no longer need worry about being son-of satan as your post count has moved on now).
Apr 15 '09 #3
NeoPa
32,573 Recognized Expert Moderator MVP
I've recently had an issue where the certificate I was signing with failed to work. As I've now fixed the issue I don't still have access to the exact error message, but it was on the lines of "Unable to sign project. Certificate dropped.".

The solution I found for this was to remove the certificate, which effectively leaves you with a clean slate, then re-add it in exactly the same way as originally. This clearly requires the same password be entered, so it's important to keep this available.

To remove an existing signing certificate simply :
  1. Open Control Panel.
  2. Select Internet Options.
  3. Select the Content tab.
  4. Click on Certificates.
  5. Select the certificate to be removed.
  6. Click on Remove.
  7. Click on Yes to confirm.
May 14 '10 #4
NeoPa
32,573 Recognized Expert Moderator MVP
As the procedure for ensuring a client trusts the provider of the signature (and thus the code signed by the signature itself) is fundamentally different for Access 2007, I've updated the original article to give specific instructions for use with Access 2007.
Nov 5 '10 #5

Sign in to post your reply or Sign up for a free account.

Similar topics
1
3209
Some questions on code signing with smartcard
by: Martin | last post by:
I have a couple of questions around code signing with MS technology: 1. Is there a way to transfer the generated strong name signing private key directly to a smartcard (or generate it on the smart card), without the unsecure intermediate storage to the filesystem using sn -k and sn -i? 2. What is the format of the key files produced by sn -k and sn -p? 3. Is there a way to generate a PKCS#10 format certificate request from the sn -p...
.NET Framework
1
2872
VeriSign Class 3 Code Signing - Office 2003
by: CLarkou | last post by:
I am using the "VeriSign Class 3 Code Signing" certificate for signing my Access program in Office 2003. Up to now, when program was installed on client machine, a form was appearing and user was selecting option "Always trust files from this publisher.....". With these steps Certificate was installed and security warnings of Office 2003 were not appearing again. On the last machine my program was installed, these steps were not...
Microsoft Access / VBA
2
1600
Code Signing questions
by: Karl Irvin | last post by:
I distribute an Access 2000 mde Can a mde application be digitially signed? The mde is distributed separately from the runtime and is included in an installation package created by the clickteam installer. Are there links to a good overview for new signers? Thawte is about 1/2 the cost of Verisign. Is Versign worth the extra cost?
Microsoft Access / VBA
0
1615
Office 2003 - Certificates for Code Signing
by: cl | last post by:
I am using the "VeriSign Class 3 Code Signing" certificate for signing my Access program in Office 2003. Up to now, when program was installed on client machine, a form was appearing and user was selecting option "Always trust files from this publisher.....". With these steps Certificate was installed and security warnings of Office 2003 were not appearing again. On another machine, these steps didn't succed. When viewing the...
Microsoft Access / VBA
0
1307
Any GUI Tool for Code Signing?
by: Cat | last post by:
Hello. I create a test certificate. I know there is a command line program called signcode.exe, but is there any GUI tool that I can use for application code signing? Thanks.
C# / C Sharp
0
1685
GetSetting function breaks when code-signing
by: Brad Dennis | last post by:
Using Access 2003, I have a form that reads registry settings using the GetSetting function. It works fine as long as I haven't signed the VBA code. But after using my Thawte Code Signing Certificate, my database usually fails when opening the signed file. I get a message complaining about "BeginBatchEdit" and the registry does not get read.
Microsoft Access / VBA
1
1162
code signing in 2005
by: gerry | last post by:
when creating a web deployment project in vs2005, the authenticode options that were available in vs2003 have been removed. is this functionailty available elsewhere in vs ? or is this now a completely manual process ? Gerry
ASP.NET
2
2372
"Code Signing Certificate" with "split database"
by: elgin | last post by:
I have a split Access 2003 database. I have signed the database with a Code Signing Certificate from Small Business Server. This works fine and users can have Access macro security on high or medium and do not get prompted at startup. The problem comes because there are two of us modifying the code. Whenever either one of us changes the code, one of us must resign both the front and back end of the database. If we forget to sign both, we...
Microsoft Access / VBA
0
1247
Problems with code signing
by: =?Utf-8?B?d29taW4=?= | last post by:
Hello, I have a software that I sign with a trusted certificate from Verisign (both the assemblies and the MSI packages) following Microsoft recomendations. In most of the cases I install the software with no problems, but in a certain number of places, the sofware installation fails. The symptoms are that the service I use in my software can not be launched (the service timeout is reached) and consequently the whole installation is...
C# / C Sharp
0
9617
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
10254
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10099
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
8929
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7451
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6710
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5481
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
3607
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2849
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us