422,949 Members | 1,026 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 422,949 IT Pros & Developers. It's quick & easy.

Signing a Database Application

P: n/a
I have several database applications developed in Access 2000. Some of my
users have upgraded to Access 2003, and they get a warning every time they
open the application: "This file may not be safe if it contains code that
was intended to harm your computer."

I understand that there are two ways to avoid this message. One is to set
the security level on Access to low. The other is to sign the database with
a digital certificate, and ask the users to trust that certificate. I would
like to pursue the latter option.

My question is: How do I create a certificate and how do I sign the database
with it? I assume I will need some tool which is not included with Office
2000. What do I need?
-Todd Matson
Nov 13 '05 #1
Share this Question
Share on Google+
11 Replies


P: n/a
Todd Matson wrote:
I have several database applications developed in Access 2000. Some
of my users have upgraded to Access 2003, and they get a warning
every time they open the application: "This file may not be safe if
it contains code that was intended to harm your computer." My question is: How do I create a certificate and how do I sign the
database with it? I assume I will need some tool which is not
included with Office 2000. What do I need?


A shitload of money. And then you contact a certificate issuing company.
They will investigate your application, and give you a price estimate for
the certificate. And you need a separate certificate for each of your
applications.

In short: Don't go there girlfriend.

/jim
Nov 13 '05 #2

P: n/a
On Thu, 21 Apr 2005 13:33:00 +0200, "Jim Andersen"
<jimVÆÆK@officeconsult.dk> wrote:

That is not my experience. Review articles such as
http://msdn.microsoft.com/library/de...tml/sa04d1.asp
to get the skinny on digital signing.
A certificate authority (CA) will indeed have to investigate your
application (not your software application; but the paperwork you
submit to them) to ensure you are who you say you are. They are in the
trust business, so this is understandable.
After that, the certificate is a commodity: give them US$200/year and
it is yours. This certificate can be used to sign ALL your
applications.

In short: You go, girl!

-Tom.

Todd Matson wrote:
I have several database applications developed in Access 2000. Some
of my users have upgraded to Access 2003, and they get a warning
every time they open the application: "This file may not be safe if
it contains code that was intended to harm your computer."

My question is: How do I create a certificate and how do I sign the
database with it? I assume I will need some tool which is not
included with Office 2000. What do I need?


A shitload of money. And then you contact a certificate issuing company.
They will investigate your application, and give you a price estimate for
the certificate. And you need a separate certificate for each of your
applications.

In short: Don't go there girlfriend.

/jim


Nov 13 '05 #3

P: n/a
You can also use an untrusted signature. There is a program you can download
from Microsoft called something like selfsign.exe that will let you generate a
random signature. With this technique, users will have to approve the
signature once for the first app/version you send them, and from then on, they
won't get a security warning when they open your applications.

On Thu, 21 Apr 2005 07:28:50 -0700, Tom van Stiphout <no*************@cox.net>
wrote:
On Thu, 21 Apr 2005 13:33:00 +0200, "Jim Andersen"
<jimVÆÆK@officeconsult.dk> wrote:

That is not my experience. Review articles such as
http://msdn.microsoft.com/library/de...tml/sa04d1.asp
to get the skinny on digital signing.
A certificate authority (CA) will indeed have to investigate your
application (not your software application; but the paperwork you
submit to them) to ensure you are who you say you are. They are in the
trust business, so this is understandable.
After that, the certificate is a commodity: give them US$200/year and
it is yours. This certificate can be used to sign ALL your
applications.

In short: You go, girl!

-Tom.

Todd Matson wrote:
I have several database applications developed in Access 2000. Some
of my users have upgraded to Access 2003, and they get a warning
every time they open the application: "This file may not be safe if
it contains code that was intended to harm your computer."

My question is: How do I create a certificate and how do I sign the
database with it? I assume I will need some tool which is not
included with Office 2000. What do I need?


A shitload of money. And then you contact a certificate issuing company.
They will investigate your application, and give you a price estimate for
the certificate. And you need a separate certificate for each of your
applications.

In short: Don't go there girlfriend.

/jim


Nov 13 '05 #4

P: n/a
I apologize for being unclear, but an untrusted signature is what I was
asking about.

Thank you for pointing me to selfsign.exe. I ran it and generated a
certificate, but it still leaves me with a lot of questions. I had
understood that certificates have lifetimes, yet that utility gave me no
control over the lifetime of the certificate. Why is that? Also, now that
the certificate is created, how is it represented on my computer? Is there a
file somewhere? How can I manage it?

Also, I still do not know how to sign my database with the certificate. I
believe that Access 2003 has a menu command for that purpose (Tools /
Digital Signature), but I am using Access 2000. I have no desire to buy
Access 2003 just to sign a few databases -- is there some other utility I
can obtain which will do the trick?

Finally, can anyone tell me what a certificate is, exactly? According to the
Microsoft page referenced by Tom, a certificate is a private key / public
key pair. I asked Verisign the same question, and they claim that a
certificate is a public key signed by a certification authority's private
key. Which is it?
-Todd Matson
"Steve Jorgensen" <no****@nospam.nospam> wrote in message
news:hg********************************@4ax.com...
You can also use an untrusted signature. There is a program you can download from Microsoft called something like selfsign.exe that will let you generate a random signature. With this technique, users will have to approve the
signature once for the first app/version you send them, and from then on, they won't get a security warning when they open your applications.

On Thu, 21 Apr 2005 07:28:50 -0700, Tom van Stiphout <no*************@cox.net> wrote:
On Thu, 21 Apr 2005 13:33:00 +0200, "Jim Andersen"
<jimVÆÆK@officeconsult.dk> wrote:

That is not my experience. Review articles such as


http://msdn.microsoft.com/library/de...-us/dnsmart04/

html/sa04d1.asp
to get the skinny on digital signing.
A certificate authority (CA) will indeed have to investigate your
application (not your software application; but the paperwork you
submit to them) to ensure you are who you say you are. They are in the
trust business, so this is understandable.
After that, the certificate is a commodity: give them US$200/year and
it is yours. This certificate can be used to sign ALL your
applications.

In short: You go, girl!

-Tom.

Nov 13 '05 #5

P: n/a
Bri
Todd,

On my install of Office 2003, there is an item in the Start-Programs-MS
Office-MS Office Tools called 'Digital Certificate for VBA Projects'.
This will allow you to create a self-signed certificate. This needs to
be created on the PC that will run the app. If you use the Access 2003
Help and search for the word Certificate, the first item is on how to
create your own certificate. There is another topic called 'Add a
digital signature to macro project' that explains how to use it.

It really is only to protect from malicious code in Macros not VBA.

This is a bit of a hack but MS has forced us into it.

--
Bri

Todd Matson wrote:
I have several database applications developed in Access 2000. Some of my
users have upgraded to Access 2003, and they get a warning every time they
open the application: "This file may not be safe if it contains code that
was intended to harm your computer."

I understand that there are two ways to avoid this message. One is to set
the security level on Access to low. The other is to sign the database with
a digital certificate, and ask the users to trust that certificate. I would
like to pursue the latter option.

My question is: How do I create a certificate and how do I sign the database
with it? I assume I will need some tool which is not included with Office
2000. What do I need?
-Todd Matson


Nov 13 '05 #6

P: n/a
Steve Jorgensen wrote:
You can also use an untrusted signature. There is a program you can download
from Microsoft called something like selfsign.exe that will let you generate a
random signature. With this technique, users will have to approve the
signature once for the first app/version you send them, and from then on, they
won't get a security warning when they open your applications.


My understanding is a selfsign.exe generated cert only works on the PC
that the cert was generated - so that wouldn't work for a distributed app.

One possible work around is to run a VB program that you write to open
Access via automation. You could then set the security level to low via
Automation code and then execute your app. The user won't see the
warning then and since you wrote the VB app it only works for your app.

However, it would still be your responsibility to make the client
understand what you are doing since you are messing with THEIR security
settings.

If you are really serious about distributing your app then get the
certificate.
--
'---------------
'John Mishefske
'---------------
Nov 13 '05 #7

P: n/a
On Thu, 21 Apr 2005 22:24:18 -0500, John Mishefske
<mi************@JUNKtds.net> wrote:
Steve Jorgensen wrote:
You can also use an untrusted signature. There is a program you can download
from Microsoft called something like selfsign.exe that will let you generate a
random signature. With this technique, users will have to approve the
signature once for the first app/version you send them, and from then on, they
won't get a security warning when they open your applications.


My understanding is a selfsign.exe generated cert only works on the PC
that the cert was generated - so that wouldn't work for a distributed app.

One possible work around is to run a VB program that you write to open
Access via automation. You could then set the security level to low via
Automation code and then execute your app. The user won't see the
warning then and since you wrote the VB app it only works for your app.

However, it would still be your responsibility to make the client
understand what you are doing since you are messing with THEIR security
settings.

If you are really serious about distributing your app then get the
certificate.


I thought I had read that the user could accept the signature once, and their
computer would continue to recognize it. I'll have to check that when I get a
chance.
Nov 13 '05 #8

P: n/a
TC
John,

I don't see why a certification would work on only the PC where it was
generated. Are there different classes of certifications, some which
are portable and some which are not?

I must say, I like your idea of lowering the security setting with a VB
program before launching the application. I already use a VB program to
launch the app, so this could be a simple change. I'll let you know how
it goes.
-TC

Nov 13 '05 #9

P: n/a
On 22 Apr 2005 08:15:43 -0700, "TC" <go*********@yahoo.com> wrote:
John,

I don't see why a certification would work on only the PC where it was
generated. Are there different classes of certifications, some which
are portable and some which are not?

I must say, I like your idea of lowering the security setting with a VB
program before launching the application. I already use a VB program to
launch the app, so this could be a simple change. I'll let you know how
it goes.
-TC


By the way, if you use the Sagekey scripts for the Wise installer, it
configures the registry profile so that the Access runtime runs in low
security when running the installed application. There aren't many problems
with Access application deployment that Sagekey doesn't solve.
Nov 13 '05 #10

P: n/a
TC wrote:
John,

I don't see why a certification would work on only the PC where it was
generated. Are there different classes of certifications, some which
are portable and some which are not?

I must say, I like your idea of lowering the security setting with a VB
program before launching the application. I already use a VB program to
launch the app, so this could be a simple change. I'll let you know how
it goes.
-TC


I'm no expert on certs but if you can generate a cert on your PC so can
mr. hackerScriptKiddie. Who's would be more trusted and based on what?

Verisign and Thawte have a whole business model based on "Trust" (at
least trust that you pay for!).

Here's some good links:

http://msdn.microsoft.com/library/de...tml/sa04d1.asp
http://support.microsoft.com/default...b;en-us;217221

--
'---------------
'John Mishefske
'---------------
Nov 13 '05 #11

P: n/a
TC
Can anyone tell me how to sign an Access 2000 application with a
digital certificate? In Word 2000 and Excel 2000, the VB editor has a
menu command Tools / Digital Signature which can be used to sign a
project, but that command doesn't exist in Access.

-TC

Nov 13 '05 #12

This discussion thread is closed

Replies have been disabled for this discussion.