Unsigned macro (Excel 97)

Topic

New Reply

In response to a previous post that I had, LegareColeman had indicated that the problem that I was having with Excel 97 macros in Excel 2000 might be that the macro security setting was at High and that unsigned macros were being automatically disabled. It turned out that that was the problem. Can someone tell me what an “unsigned macro” is and if there’s a way that I should be “signing” my macros so that they aren’t disabled?

Reply | Quote

Replies

Excel has the capability to attach an electronic signature to a macro that excel can use to identify the author of the macro. If Excel is told that it can trust that author, then when Excel sees macros that match the electronic signature, then the macro is enabled if security is high, and if security is medium, the user is not asked if the macros should be enabled.

You have to buy the electronic signature from one of several companies that sell them, an provide a service to validate signatures. If you get the Excel 2000 developers edition, it comes with a way to create your own signature.

Reply | Quote

Thank you for the explanation.

Reply | Quote

As a further thought to the ‘signing macro’ question – when I last looked Verisign wanted $400 USD annually to provide authentication services, and it looked like they were asking for the equivalent of and SEC 10K or something to even consider providing it. After I e-mailed them to say that this was an astoundingly high charge they called me back to say that they consider that they are providing a guarantee that I will not be writing malicious code, and there is a high cost of providing that assurance to the user.

This is nonsense, as all Verisign provides is assurance that if the code was signed by “D Cardno” that it actually came from D Cardno and has not been altered. Anyone who chooses to run code from D Cardno on their computer is taking their chances based on what they know of me (heh heh heh….) – the signature just reduces the risk that they are getting damaged (or deliberately altered) goods in the process. The nice lady from Verisign didn’t seem to understand that concept, and in our litigious age, perhaps they are providing a warranty that they don’t intend to, but will be forced on them by the courts – I doubt it, but you never know.

In any event, if you make your living by selling VBA or VB code, then it is probably worth it to get the signature system set up – but then you probably have the developer’s edition anyway. If, like me, you sell the occasional bit of code in connection with analysis of a much larger problem (I do financial and economic analyses of pipelines and power plants – every now and then it is helpful to automate some of the iterative calculations) then it is not worth it.

My clients just have to trust me to write code that won’t screw up anything on their computers (just like they would if I used Verisign anyway). For integrity of code between me and them, I encrypt e-mails with PGP: if they don’t have it I recommend that they get it and use it. If they don’t I tell them that I will not be responsible for loss of confidentiality or errors in transmission due to insecure e-mail communication, and suggest that we just exchange floppies. Inevitably, they accept the e-mail risk in the interests of speedy, convenient communication.

People can be swept into mass hysteria by the Kournikova virus, and practically wet themselves at the suggestion that a ‘hacker’ could break into their data files on a reasonably secure server that no one has any interest in, but they will not take the most basic easily-implemented steps to protect against an insecure communications channel open to anyone who is curious!

Reply | Quote

I agree with you about what a digital cert buys you. They make it sound like it guarantees that your code will work as advertised when actually it just lets the end user know that you are who you claim to be, nothing about code quality. It does however help notify the user if the code has been tampered with by someone other than you.

I do have the Office Developer’s kit but I still bought the certificate from Thawte which is 1/2 the price of VeriSign (although they are owned at least partly by VeriSign it seems).The one that comes with the Dev kit is very wimpy as far as security goes. For my company’s use, the advantages are more of an increased confidence that what the end user has did come from who they say it came from. Many people are afraid to run anything with macros and all the neat and cool tools my group writes use macros.

I’ve had other non-Office related horror stories about digital certificates though. One device driver I have (CD-RW I think) supposedly had a signature that Win2k didn’t like and so it disabled it automatically. This didn’t interfere with the CD/RW until I rebooted and then Win2k prompty removed the driver for me with some messaging about the driver’s signature. The company says their driver is compatible with Win2k but Win2k keeps disabling it. No win situation.

Deb

Reply | Quote

If your copy of Excel 2000 has been installed with the Digital Signature option, you’ll find that there’s a handy little program called SelfCert.exe installed – default location: C:Program FilesMicrosoft OfficeOffice folder.

Click on that and it will step you through the necessary steps on creating a Digital Certificate for no cost other than your time. Having done that, choose the relevant module in your VBE and click on Tools|Digital Signature and you will be able to sign the code.

The signature will travel with your code. It will not, of course, be a supersonic Verisign signature, but, for users that choose to trust you – on whatever Excel 2000 machine – it will remove the message on Medium security. I seem to remember, on a High security machine, you may first have to go through the “Trust” message box on a Medium security setting before you can get the code to run on High security, but I’m not sure. Maybe Legare can remember. HTH

Reply | Quote

Thank you. I’ll give it a try.

Reply | Quote