Results 1 to 7 of 7
  1. #1
    Star Lounger
    Join Date
    Sep 2001
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Signed project warning on certificate expiry

    We bought a certificate from Thawte and did some testing with signing projects. The distribution of the certificate and the signing of projects seem to work flawlessly and we are able to grant the signed project execution rights even with a high macro security setting.
    So far so good. But if we change the system date to a date after the expiring date of the certificate, we suddenly get a warning message that the signed project is no longer trustworthy.
    This means, that one of our customers can work for a year with our product without problems and suddenly one day without any changes to the installed project he gets a message about the expiry of the certificate.
    Does anybody have a hint for a workaround? I fully understand, that I'm no longer able to sign new projects with an expired certificate, but it seems silly, that an old project the user might have used for months suddenly stops working.

  2. #2
    Plutonium Lounger
    Join Date
    Dec 2000
    Location
    Sacramento, California, USA
    Posts
    16,775
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Signed project warning on certificate expiry

    The project should continue to work unless you are requiring a valid digital certificate in it. The message is annoying but it is a security feature to let you know that the certificate has expired. A lot of websites do the same thing. <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15> You can still visit the site, but you get a warning about the certificate.
    Charlotte

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Signed project warning on certificate expiry

    I think the idea behind code-signing is that the program checks the credentials again at run-time. Someone could have absconded with your code, and run-time checking makes it possible for you to revoke the signature at the registry to generate a warning. Not very convenient for your needs, but I think that was the general idea behind the behavior you describe.

  4. #4
    Star Lounger
    Join Date
    Sep 2001
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signed project warning on certificate expiry

    Thanks for your clarifying. It seems that we have to continue working without using certificates. Some of our customers have our products installed on more than 10'000 machines and I do not want to know what their helpdesk would tell us, if suddenly those kind of warning messages pop up.
    Apparently this feature was not designed for wide use. <img src=/S/dizzy.gif border=0 alt=dizzy width=15 height=15>

  5. #5
    Star Lounger
    Join Date
    Sep 2001
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signed project warning on certificate expiry

    Quiet some time since I posted this message - in the meantime I managed to solve the issue. Perhaps someone else is still looking for it:

    One simply has to integrate a registry key to the time server of the code signing authority: E.g.
    [HKEY_CURRENT_USERSoftwareMicrosoftVBASecurity]
    "TimeStampURL"="http://timestamp.XXXXX.com/scripts/timstamp.dll"
    "TimeStampRetryCount"=dword:00000010
    "TimeStampRetryDelay"=dword:00000001

    If the time server can be accessed during the time the code is signed, the validity of the certificate is checked against the time servers official time. This will prevent the signature to expire even when the certificate expires. (Since the certificate was valid while the macro was signed, it is assumed, that the code is still ok <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  6. #6
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Weert, Limburg, Netherlands
    Posts
    4,812
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signed project warning on certificate expiry

    So how exactly does one do this? Write the reg keys manually?
    Jan Karel Pieterse
    Microsoft Excel MVP, WMVP
    www.jkp-ads.com
    Professional Office Developers Association

  7. #7
    Star Lounger
    Join Date
    Sep 2001
    Posts
    83
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signed project warning on certificate expiry

    Yes that's exactly what we do. (We simply import a matching registry file.)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •