Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    4 Star Lounger
    Join Date
    Apr 2001
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Signing a VBA project (Word 2000)

    I'm sure if search was back up for the forum, I'd be able to find this, but, alas....

    I kind of wanted to get the basics on digitally signing a VBA project. I know from what I have read previously that this allows you to bypass the Enable/Disable macros box (and even causes macros to be active if a user has not changed the default High security to Medium or Low).

    1. I'm assuming we would have to purchase some kind of signature or something from someone like Verisign?

    2. Would users have to download or authenticate (not even sure the right words here) that signature? Would they have to do anything, or would it be totally transparent?

    3. Would I have to resign the project every time I make changes?

    Thanks for the help!!
    Troy

  2. #2
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Weert, Limburg, Netherlands
    Posts
    4,812
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    In Office 2000 it is sufficient to create your own signature. You can do so using SelfCert.exe, located in the office directory.

    Your users will be shown a warning at first opening of a file with your sig, in which they can either accept or reject you <g>. Once accepted to trust all files from that source, I suspect they will get no more warnings from file signed by you.

    Not sure what happens with signed files when security is set to high.

    I've heard Office XP is more picky and wants verified signatures to achieve the same.

    I included a small sample file signed by me, that just shows a message when it opens with macros enabled.
    Jan Karel Pieterse
    Microsoft Excel MVP, WMVP
    www.jkp-ads.com
    Professional Office Developers Association

  3. #3
    4 Star Lounger
    Join Date
    Apr 2001
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    Thanks for the info!!

    I tested this with Security set to High and to Medium. I found only one difference, but that differenct did not make sense (truly a MS "feature"). If the Security was set to Medium, you could Enable Macros each time or Disable them. You could also check or not check the box to always trust this source.

    However, if security is set to high, you cannot accept on a case by case basis. You can only Enable Macros if you select the Always trust macros from this source. check box. I would think that in a high security environment, you would want to the ability to accept/reject on a case by case basis. As Woody says, "Trustworthy computing."

    Troy

  4. #4
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Weert, Limburg, Netherlands
    Posts
    4,812
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    If I set security to high, I can only enable macros after checking the trust all ... box. After that, I get no more macro warning for the book signed with this signature, whichever macro security level I have set.

    If I have security at medium, I can enable macros without checking the box, but only if the signature hasn't already been marked as trusted.
    Jan Karel Pieterse
    Microsoft Excel MVP, WMVP
    www.jkp-ads.com
    Professional Office Developers Association

  5. #5
    5 Star Lounger jujuraf's Avatar
    Join Date
    Jun 2001
    Location
    San Jose, California, USA
    Posts
    1,061
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    I purchased a VBA certificate from Thawte (owned by Verisign) a year ago. The developer certs as they're called are good for one year and are $159 to renew (more for the initial purchase which is a pain in the butt with all the forms to fill out and verification). The selfcert.exe that comes with Office isn't very secure but may be ok if you're just developing things for your own company (not for use by the public).

    From your point of view (developer and purchaser/owner of the cert) you install the public/private key on your computer that makes this cert visible to your VBA projects. You select the certificate to be attached to your file (Excel in my case) from the IDE.

    There is nothing the user has to do to use a file that has a cert attached. I don't know about Word versions, but In Excel97, certs are ignored so it doesn't matter. In Excel2000 you'll get the message at workbook open that this project has been digitally signed with 'blah blah' certificate. It'll then give you the choice of forever enabling macros for all projects with this certificate. In Excel2002 the default security is high which means only digitally signed projects are allowed to run. I assume Word 97/2000/2002 has the same quirks.

    Many web sites have certificates so you've probably seen the message on occasion asking you to accept a certificate from blah company or a warning that the given certificate has expired (the company hasn't paid the $ to update it).

    One good thing about certs is it gives an extra sense of security to the many folks who fear opening anything with macros. If your signed .xls file gets infected (or someone tries to tamper with it through over means), the next time it's opened, the user will be warned that the file integrity has been compromised. If the cert wasn't there, Excel would just open the file who knows what will happen. It also gives you projects more 'authenticity' in my mind, more professional packaging than "oh, it's just an Excel workbook." This is especially true if you tend to develop large, complex Excel tools with lots of extra user interface stuff (more like standalone applications, than a standard static workbook).

    My <img src=/S/2cents.gif border=0 alt=2cents width=15 height=15>
    Deb

  6. #6
    5 Star Lounger jujuraf's Avatar
    Join Date
    Jun 2001
    Location
    San Jose, California, USA
    Posts
    1,061
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    I forgot to answer your question #4.

    No you do not have to resign the project each time. This is because the cert was registered/installed on your computer which is the one which you're using to develop your Word apps. If another person had legit access to your VBA code (you gave them the password to your project) BUT they did not have the cert installed, they would get an error message and the cert would be disabled.

    All these questions are ones I had myself last year and it was confusing for me too. <img src=/S/confused.gif border=0 alt=confused width=15 height=20>

    Deb <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

  7. #7
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Signing a VBA project (Word 2000)

    My experience is that you do need to re-sign a VBA project each time you make changes.

    You can configure your PC so that every attempt to use your certificate requires you to enter a password (which is my preference) or you can allow your certificate to be silently used to sign the project in the background.

    StuartR

  8. #8
    4 Star Lounger
    Join Date
    Apr 2001
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    In one case I have code that copies a macro from the dot file that contains all the macros to the child document (a document based on that dot file). This is used in cases where the child document is sent to someone without the parent dot file. Will the signing have to be done to the child document or will that happen when the module is copied to the child document?

    Thanks!!
    Troy

  9. #9
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Signing a VBA project (Word 2000)

    You will need to sign the child document

    StuartR

  10. #10
    5 Star Lounger jujuraf's Avatar
    Join Date
    Jun 2001
    Location
    San Jose, California, USA
    Posts
    1,061
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    Since all my VBA is in Excel all I can say is that with Excel you don't have to re-assign the cert each time you make changes. As long as I have the password to the code project and I'm working on a PC which has the cert installed then I can made any changes I want to the code and when I save/exit Excel, the cert is still there.

    Maybe Word is different because of the .dot file or other reasons???

    Deb

  11. #11
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Signing a VBA project (Word 2000)

    When you say "and I'm working on a PC which has the cert installed" this sounds as though you have enabled access to your certificate without a password being needed. I don't have to reassign the certificate to my code, simply to authorise its use via a password.

    I suspect you must have checked the "Remember password" box at some time in the past, or configured your certificate to a lower security level.

    StuartR

  12. #12
    5 Star Lounger jujuraf's Avatar
    Join Date
    Jun 2001
    Location
    San Jose, California, USA
    Posts
    1,061
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    Hmmm, I am new to this as my current Excel work is the only thing I've done with certs. I don't remember exactly what I did as far as the importing of the key goes (the menu you attached) but I only did that once to install the key. I also did it when I exported then imported the key to another computer so I can add certs from that PC too. I probably did click the button to remember the password now that you mention it. Is that a no-no?

    So if I didn't click the 'remember' button, each time I changed the code the cert would be de-assigned? I'd then have to re-select the cert to assign it and then provide the password? Is that how it goes? <img src=/S/thinks.gif border=0 alt=thinks width=15 height=15>

    I just now paid for a renewal for another year but haven't yet imported (if that's the term) this new key to my PC yet.

    Deb

  13. #13
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Signing a VBA project (Word 2000)

    When I modify my code it remembers what certificate I was using, but I get the dialog box I showed you to enable me to personally verify that I really did change it intentionally and that I wish to sign it again.

    I think you need to set the security to High and override the automatica caching of the password for this, but it seemed fairly straight forward at the time and I personally think that my digital signature is worth that kind of care.

    StuartR

  14. #14
    2 Star Lounger
    Join Date
    Jun 2002
    Location
    vancouver, BC, Br. Columbia
    Posts
    109
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Signing a VBA project (Word 2000)

    Hi Stuart - I bought a code signing certificate from Comodo, but I could not make it work (altho I had no problem with Self Certificate) <img src=/S/confused.gif border=0 alt=confused width=15 height=20> . Do you recommend the Thawte certificate?

  15. #15
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Signing a VBA project (Word 2000)

    I don't think the certificate origin should make a difference. Did you buy a certificate that was authorized for code signing?

    When you buy a certificate you get two things, A Private key that you use for signing things and a certificate that has
    <UL><LI>A copy of your Public key (that you share with other people)
    <LI>Information about your key (such as expiry date and what it can be used for
    <LI>A signature, from the issuing authority, which verifies that this really is your public key and prevents you changing the other information[/list]SO - if your key says that it can be used for Mail, but not for code signing, you can only use it for that purpose.

    Have you installed your certificate yet? How did you do so and where did you store it? Can you look at the certificate and see what it can be used for. The easiest way to look at your certificates is Internet Explorer > Tools > Internet Options > Content > Certificates. In this screen shot you can see a certificate of mine that is only valid for secure email - and couldn't be used for code signing.

    Does this help you to get started?

    StuartR

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •