Signing a VBA project (Word 2000)

Topic

New Reply

I’m sure if search was back up for the forum, I’d be able to find this, but, alas….

I kind of wanted to get the basics on digitally signing a VBA project. I know from what I have read previously that this allows you to bypass the Enable/Disable macros box (and even causes macros to be active if a user has not changed the default High security to Medium or Low).

1. I’m assuming we would have to purchase some kind of signature or something from someone like Verisign?

2. Would users have to download or authenticate (not even sure the right words here) that signature? Would they have to do anything, or would it be totally transparent?

3. Would I have to resign the project every time I make changes?

Thanks for the help!!
Troy

Reply | Quote

Replies

In Office 2000 it is sufficient to create your own signature. You can do so using SelfCert.exe, located in the office directory.

Your users will be shown a warning at first opening of a file with your sig, in which they can either accept or reject you . Once accepted to trust all files from that source, I suspect they will get no more warnings from file signed by you.

Not sure what happens with signed files when security is set to high.

I’ve heard Office XP is more picky and wants verified signatures to achieve the same.

I included a small sample file signed by me, that just shows a message when it opens with macros enabled.

Reply | Quote

Thanks for the info!!

I tested this with Security set to High and to Medium. I found only one difference, but that differenct did not make sense (truly a MS “feature”). If the Security was set to Medium, you could Enable Macros each time or Disable them. You could also check or not check the box to always trust this source.

However, if security is set to high, you cannot accept on a case by case basis. You can only Enable Macros if you select the Always trust macros from this source. check box. I would think that in a high security environment, you would want to the ability to accept/reject on a case by case basis. As Woody says, “Trustworthy computing.”

Troy

Reply | Quote

Thanks for the info!!

I tested this with Security set to High and to Medium. I found only one difference, but that differenct did not make sense (truly a MS “feature”). If the Security was set to Medium, you could Enable Macros each time or Disable them. You could also check or not check the box to always trust this source.

However, if security is set to high, you cannot accept on a case by case basis. You can only Enable Macros if you select the Always trust macros from this source. check box. I would think that in a high security environment, you would want to the ability to accept/reject on a case by case basis. As Woody says, “Trustworthy computing.”

Troy

Reply | Quote

If I set security to high, I can only enable macros after checking the trust all … box. After that, I get no more macro warning for the book signed with this signature, whichever macro security level I have set.

If I have security at medium, I can enable macros without checking the box, but only if the signature hasn’t already been marked as trusted.

Reply | Quote

If I set security to high, I can only enable macros after checking the trust all … box. After that, I get no more macro warning for the book signed with this signature, whichever macro security level I have set.

If I have security at medium, I can enable macros without checking the box, but only if the signature hasn’t already been marked as trusted.

Reply | Quote

In Office 2000 it is sufficient to create your own signature. You can do so using SelfCert.exe, located in the office directory.

Your users will be shown a warning at first opening of a file with your sig, in which they can either accept or reject you . Once accepted to trust all files from that source, I suspect they will get no more warnings from file signed by you.

Not sure what happens with signed files when security is set to high.

I’ve heard Office XP is more picky and wants verified signatures to achieve the same.

I included a small sample file signed by me, that just shows a message when it opens with macros enabled.

Reply | Quote

I purchased a VBA certificate from Thawte (owned by Verisign) a year ago. The developer certs as they’re called are good for one year and are $159 to renew (more for the initial purchase which is a pain in the butt with all the forms to fill out and verification). The selfcert.exe that comes with Office isn’t very secure but may be ok if you’re just developing things for your own company (not for use by the public).

From your point of view (developer and purchaser/owner of the cert) you install the public/private key on your computer that makes this cert visible to your VBA projects. You select the certificate to be attached to your file (Excel in my case) from the IDE.

There is nothing the user has to do to use a file that has a cert attached. I don’t know about Word versions, but In Excel97, certs are ignored so it doesn’t matter. In Excel2000 you’ll get the message at workbook open that this project has been digitally signed with ‘blah blah’ certificate. It’ll then give you the choice of forever enabling macros for all projects with this certificate. In Excel2002 the default security is high which means only digitally signed projects are allowed to run. I assume Word 97/2000/2002 has the same quirks.

Many web sites have certificates so you’ve probably seen the message on occasion asking you to accept a certificate from blah company or a warning that the given certificate has expired (the company hasn’t paid the $ to update it).

One good thing about certs is it gives an extra sense of security to the many folks who fear opening anything with macros. If your signed .xls file gets infected (or someone tries to tamper with it through over means), the next time it’s opened, the user will be warned that the file integrity has been compromised. If the cert wasn’t there, Excel would just open the file who knows what will happen. It also gives you projects more ‘authenticity’ in my mind, more professional packaging than “oh, it’s just an Excel workbook.” This is especially true if you tend to develop large, complex Excel tools with lots of extra user interface stuff (more like standalone applications, than a standard static workbook).

My
Deb

Reply | Quote

I forgot to answer your question #4.

No you do not have to resign the project each time. This is because the cert was registered/installed on your computer which is the one which you’re using to develop your Word apps. If another person had legit access to your VBA code (you gave them the password to your project) BUT they did not have the cert installed, they would get an error message and the cert would be disabled.

All these questions are ones I had myself last year and it was confusing for me too.

Deb

Reply | Quote

My experience is that you do need to re-sign a VBA project each time you make changes.

You can configure your PC so that every attempt to use your certificate requires you to enter a password (which is my preference) or you can allow your certificate to be silently used to sign the project in the background.

StuartR

Reply | Quote

In one case I have code that copies a macro from the dot file that contains all the macros to the child document (a document based on that dot file). This is used in cases where the child document is sent to someone without the parent dot file. Will the signing have to be done to the child document or will that happen when the module is copied to the child document?

Thanks!!
Troy

Reply | Quote

You will need to sign the child document

StuartR

Reply | Quote

You will need to sign the child document

StuartR

Reply | Quote

In one case I have code that copies a macro from the dot file that contains all the macros to the child document (a document based on that dot file). This is used in cases where the child document is sent to someone without the parent dot file. Will the signing have to be done to the child document or will that happen when the module is copied to the child document?

Thanks!!
Troy

Reply | Quote

Since all my VBA is in Excel all I can say is that with Excel you don’t have to re-assign the cert each time you make changes. As long as I have the password to the code project and I’m working on a PC which has the cert installed then I can made any changes I want to the code and when I save/exit Excel, the cert is still there.

Maybe Word is different because of the .dot file or other reasons???

Deb

Reply | Quote

When you say “and I’m working on a PC which has the cert installed” this sounds as though you have enabled access to your certificate without a password being needed. I don’t have to reassign the certificate to my code, simply to authorise its use via a password.

I suspect you must have checked the “Remember password” box at some time in the past, or configured your certificate to a lower security level.

StuartR

Reply | Quote

When you say “and I’m working on a PC which has the cert installed” this sounds as though you have enabled access to your certificate without a password being needed. I don’t have to reassign the certificate to my code, simply to authorise its use via a password.

I suspect you must have checked the “Remember password” box at some time in the past, or configured your certificate to a lower security level.

StuartR

Reply | Quote

Hmmm, I am new to this as my current Excel work is the only thing I’ve done with certs. I don’t remember exactly what I did as far as the importing of the key goes (the menu you attached) but I only did that once to install the key. I also did it when I exported then imported the key to another computer so I can add certs from that PC too. I probably did click the button to remember the password now that you mention it. Is that a no-no?

So if I didn’t click the ‘remember’ button, each time I changed the code the cert would be de-assigned? I’d then have to re-select the cert to assign it and then provide the password? Is that how it goes?

I just now paid for a renewal for another year but haven’t yet imported (if that’s the term) this new key to my PC yet.

Deb

Reply | Quote

When I modify my code it remembers what certificate I was using, but I get the dialog box I showed you to enable me to personally verify that I really did change it intentionally and that I wish to sign it again.

I think you need to set the security to High and override the automatica caching of the password for this, but it seemed fairly straight forward at the time and I personally think that my digital signature is worth that kind of care.

StuartR

Reply | Quote

Hi Stuart – I bought a code signing certificate from Comodo, but I could not make it work (altho I had no problem with Self Certificate) . Do you recommend the Thawte certificate?

Reply | Quote

I don’t think the certificate origin should make a difference. Did you buy a certificate that was authorized for code signing?

When you buy a certificate you get two things, A Private key that you use for signing things and a certificate that has

• A copy of your Public key (that you share with other people)
• Information about your key (such as expiry date and what it can be used for
• A signature, from the issuing authority, which verifies that this really is your public key and prevents you changing the other information
  [/list]SO – if your key says that it can be used for Mail, but not for code signing, you can only use it for that purpose.

  Have you installed your certificate yet? How did you do so and where did you store it? Can you look at the certificate and see what it can be used for. The easiest way to look at your certificates is Internet Explorer > Tools > Internet Options > Content > Certificates. In this screen shot you can see a certificate of mine that is only valid for secure email – and couldn’t be used for code signing.

  Does this help you to get started?

  StuartR

Reply | Quote

(Edited by HansV to make URL clickable – see Help 19)

Hi Stuart,
>Have you installed your certificate yet?
I’m not sure … when I look in IE, Tools > Internet Options > Content > Certificates, I can see it and it says “Certificate Intended Purposes: Code Signing”.

While researching my problem I found at the Thawte site instructions to run PVK Digital Certificate Files Importer (http://www.microsoft.com/downloads/details…;displaylang=EN[/url]) but this has not helped as I get a “command line error” when trying to run it.

When I try to sign my VBA code, it appears to work, until I try to save the file and then I get the error.

Reply | Quote

(Edited by HansV to make URL clickable – see Help 19)

Hi Stuart,
>Have you installed your certificate yet?
I’m not sure … when I look in IE, Tools > Internet Options > Content > Certificates, I can see it and it says “Certificate Intended Purposes: Code Signing”.

While researching my problem I found at the Thawte site instructions to run PVK Digital Certificate Files Importer (http://www.microsoft.com/downloads/details…;displaylang=EN[/url]) but this has not helped as I get a “command line error” when trying to run it.

When I try to sign my VBA code, it appears to work, until I try to save the file and then I get the error.

Reply | Quote

> it appears to work, until I try to save the file and then I get the error

What is the exact error message that you get?

StuartR

Reply | Quote

In Excel I get no error message but when I close the file and then re-open it, the macro is no longer signed. In Word, the signature disappears when I save the file (no error message). In Outlook an error message appears when I try to save the VBA project “Microsoft Office Outlook. An error occurred while trying to sign the project. The unsigned project has been saved”

Reply | Quote

I have been racking my brains and I can only think of three possible explanations for your problem.

1. You have installed the public certificate for this signing key, but the private one is not installed.
2. The certificate has a problem such as having expired or been revoked
3. You are not doing the right thing in the various applications where you are trying to use the certificate

So lets try to eliminate some of these.

1. From Internet Explorer try Tools > Internet Options > Content > Certificates > select your certificate > and click View. Look on the General tab. Does it include the text “You have a private key that corresponds to this certificate”
2. On the same dialog box, look in the details tab. Anything seem amiss? What are the Valid from and Valid to dates for the certificate? On the Certification Path tab do you see the words “The certificate is OK”?
3. Can you describe the exact sequence of dialog boxes that you go through when trying to sign a VBA project, in Word for example.

StuartR

Reply | Quote

Hi Stuart,
Yesterday I requested my $$ back from Comodo and I have received it today. I’m going to try another certificate authority. However, I still have the certificate from Comodo on my machine. If I could get it working, I’d re-pay them, if you know what I mean.

To answer your questions:
>1. ….. and click View. Look on the General tab. Does it include the text “You have a private key that corresponds to this certificate” . ANSWER: Nope.

>2. On the same dialog box, look in the details tab. Anything seem amiss? What are the Valid from and Valid to dates for the certificate? On the Certification Path tab do you see the words “The certificate is OK”? ANSWER: Everyting looks OK and “The Certificate is OK” is displayed.

>3. ANSWER: In Word, (with Security set to Medium) I go to the IDE, and open a module in my Normal.dot template, choose TOOLS > Digital Signature. I see “The VBA project is currently signed as [No certificate]. Click Choose button and select the Comodo certificate (the only one listed). Click OK. Now I see “The VBA project is currently signed as Ellwood & Assoc. (which is my cert name). Click OK.

Everything is lovely – if I go back to check in Tools > Digital Signature, it’s still there. But THEN I click the SAVE button and wham! when I go back to Tools > Digital Signature, the darn thing has gone back to “The VBA project is currently signed as [No certificate].

The Comodo certificate is only $99 and they authorized me quickly with minimum documentation (as I’m not incorporated) , so I would love to use them, but I’m moving on to Thawte now.

Thank you so much … I’ll keep you posted on how it goes with Thawte.

Reply | Quote

>1. ….. and click View. Look on the General tab. Does it include the text “You have a private key that corresponds to this certificate” . ANSWER: Nope.

This is your problem. You have somehow managed to install the certificate without its private key. If you still have the original media and instructions that you received from Comodo then try reinstalling the certificate – making sure you follow all the instructions. You must have a private key if you want to use a certificate for signing. The one you have can only be used to check an existing signature.

The tab should look like this.

StuartR

Reply | Quote

Thanks Stuart. I think I know how it happened … I was in a dither both times when I bought the certificates from Comodo … and I was clicking the BACK button in the browser to go back and make sure I was really getting the right kind of certificate. I noticed that this caused the private key “mykey.pvk” to get downloaded more than once but I didn’t worry about it. I guess when they issued the public key to me, I paid the consequencies because their server must generate a new private key each time.

The bad news is that I just bought a [much more expensive] cert from Thawte and, again, I was clicking the BACK button and I think I got the private key more than once. But at least, this time, if it doesn’t work, I’ll know exactly what to tell the support people.

Warning to all who read this : WHEN BUYING A CODE SIGNING CERTIFICATE DO NOT USE BACK BUTTON IN BROWSER.

Thank you Stuart!

Reply | Quote

This doesn’t sound completely right. A private key only makes sense if it has a corresponding public key. Ah well, at least we know what to look for if it goes wrong again

StuartR

Reply | Quote

This doesn’t sound completely right. A private key only makes sense if it has a corresponding public key. Ah well, at least we know what to look for if it goes wrong again

StuartR

Reply | Quote

Thanks Stuart. I think I know how it happened … I was in a dither both times when I bought the certificates from Comodo … and I was clicking the BACK button in the browser to go back and make sure I was really getting the right kind of certificate. I noticed that this caused the private key “mykey.pvk” to get downloaded more than once but I didn’t worry about it. I guess when they issued the public key to me, I paid the consequencies because their server must generate a new private key each time.

The bad news is that I just bought a [much more expensive] cert from Thawte and, again, I was clicking the BACK button and I think I got the private key more than once. But at least, this time, if it doesn’t work, I’ll know exactly what to tell the support people.

Warning to all who read this : WHEN BUYING A CODE SIGNING CERTIFICATE DO NOT USE BACK BUTTON IN BROWSER.

Thank you Stuart!

Reply | Quote

>1. ….. and click View. Look on the General tab. Does it include the text “You have a private key that corresponds to this certificate” . ANSWER: Nope.

This is your problem. You have somehow managed to install the certificate without its private key. If you still have the original media and instructions that you received from Comodo then try reinstalling the certificate – making sure you follow all the instructions. You must have a private key if you want to use a certificate for signing. The one you have can only be used to check an existing signature.

The tab should look like this.

StuartR

Reply | Quote

Hi Stuart,
Yesterday I requested my $$ back from Comodo and I have received it today. I’m going to try another certificate authority. However, I still have the certificate from Comodo on my machine. If I could get it working, I’d re-pay them, if you know what I mean.

To answer your questions:
>1. ….. and click View. Look on the General tab. Does it include the text “You have a private key that corresponds to this certificate” . ANSWER: Nope.

>2. On the same dialog box, look in the details tab. Anything seem amiss? What are the Valid from and Valid to dates for the certificate? On the Certification Path tab do you see the words “The certificate is OK”? ANSWER: Everyting looks OK and “The Certificate is OK” is displayed.

>3. ANSWER: In Word, (with Security set to Medium) I go to the IDE, and open a module in my Normal.dot template, choose TOOLS > Digital Signature. I see “The VBA project is currently signed as [No certificate]. Click Choose button and select the Comodo certificate (the only one listed). Click OK. Now I see “The VBA project is currently signed as Ellwood & Assoc. (which is my cert name). Click OK.

Everything is lovely – if I go back to check in Tools > Digital Signature, it’s still there. But THEN I click the SAVE button and wham! when I go back to Tools > Digital Signature, the darn thing has gone back to “The VBA project is currently signed as [No certificate].

The Comodo certificate is only $99 and they authorized me quickly with minimum documentation (as I’m not incorporated) , so I would love to use them, but I’m moving on to Thawte now.

Thank you so much … I’ll keep you posted on how it goes with Thawte.

Reply | Quote

I have been racking my brains and I can only think of three possible explanations for your problem.

1. You have installed the public certificate for this signing key, but the private one is not installed.
2. The certificate has a problem such as having expired or been revoked
3. You are not doing the right thing in the various applications where you are trying to use the certificate

So lets try to eliminate some of these.

1. From Internet Explorer try Tools > Internet Options > Content > Certificates > select your certificate > and click View. Look on the General tab. Does it include the text “You have a private key that corresponds to this certificate”
2. On the same dialog box, look in the details tab. Anything seem amiss? What are the Valid from and Valid to dates for the certificate? On the Certification Path tab do you see the words “The certificate is OK”?
3. Can you describe the exact sequence of dialog boxes that you go through when trying to sign a VBA project, in Word for example.

StuartR

Reply | Quote

In Excel I get no error message but when I close the file and then re-open it, the macro is no longer signed. In Word, the signature disappears when I save the file (no error message). In Outlook an error message appears when I try to save the VBA project “Microsoft Office Outlook. An error occurred while trying to sign the project. The unsigned project has been saved”

Reply | Quote

> it appears to work, until I try to save the file and then I get the error

What is the exact error message that you get?

StuartR

Reply | Quote

I don’t think the certificate origin should make a difference. Did you buy a certificate that was authorized for code signing?

When you buy a certificate you get two things, A Private key that you use for signing things and a certificate that has

• A copy of your Public key (that you share with other people)
• Information about your key (such as expiry date and what it can be used for
• A signature, from the issuing authority, which verifies that this really is your public key and prevents you changing the other information
  [/list]SO – if your key says that it can be used for Mail, but not for code signing, you can only use it for that purpose.

  Have you installed your certificate yet? How did you do so and where did you store it? Can you look at the certificate and see what it can be used for. The easiest way to look at your certificates is Internet Explorer > Tools > Internet Options > Content > Certificates. In this screen shot you can see a certificate of mine that is only valid for secure email – and couldn’t be used for code signing.

  Does this help you to get started?

  StuartR

Reply | Quote

Hi Stuart – I bought a code signing certificate from Comodo, but I could not make it work (altho I had no problem with Self Certificate) . Do you recommend the Thawte certificate?

Reply | Quote

When I modify my code it remembers what certificate I was using, but I get the dialog box I showed you to enable me to personally verify that I really did change it intentionally and that I wish to sign it again.

I think you need to set the security to High and override the automatica caching of the password for this, but it seemed fairly straight forward at the time and I personally think that my digital signature is worth that kind of care.

StuartR

Reply | Quote

Hmmm, I am new to this as my current Excel work is the only thing I’ve done with certs. I don’t remember exactly what I did as far as the importing of the key goes (the menu you attached) but I only did that once to install the key. I also did it when I exported then imported the key to another computer so I can add certs from that PC too. I probably did click the button to remember the password now that you mention it. Is that a no-no?

So if I didn’t click the ‘remember’ button, each time I changed the code the cert would be de-assigned? I’d then have to re-select the cert to assign it and then provide the password? Is that how it goes?

I just now paid for a renewal for another year but haven’t yet imported (if that’s the term) this new key to my PC yet.

Deb

Reply | Quote

Since all my VBA is in Excel all I can say is that with Excel you don’t have to re-assign the cert each time you make changes. As long as I have the password to the code project and I’m working on a PC which has the cert installed then I can made any changes I want to the code and when I save/exit Excel, the cert is still there.

Maybe Word is different because of the .dot file or other reasons???

Deb

Reply | Quote

My experience is that you do need to re-sign a VBA project each time you make changes.

You can configure your PC so that every attempt to use your certificate requires you to enter a password (which is my preference) or you can allow your certificate to be silently used to sign the project in the background.

StuartR

Reply | Quote

I forgot to answer your question #4.

No you do not have to resign the project each time. This is because the cert was registered/installed on your computer which is the one which you’re using to develop your Word apps. If another person had legit access to your VBA code (you gave them the password to your project) BUT they did not have the cert installed, they would get an error message and the cert would be disabled.

All these questions are ones I had myself last year and it was confusing for me too.

Deb

Reply | Quote