This is supplemental information to the article: Developer's Corner: Digitally Signing Office VBA Projects by Lee Hudspeth (This article first appeared in TNPC #3.23)

This is supplemental material that mainly consists of much more detail for each item in the checklist, plus some additional resources at the end of this page.

1. Put one person in charge of code signing.
   
   Appoint one person in your organization as the Code Signing Officer. Her role will be to follow through with the remaining steps in this process, and to issue all of the company's digital code signatures.

2. Choose a Certificate Authority.
   
   For a list of Certificate Authorities, click here.

3. Establish one PC as the "code signing" PC.
   
   Configure the code signing PC to meet the requirements of your Certificate Authority. Typically this means running a PC with either Microsoft Windows 98, Millennium Edition, or Windows 2000 as the operating system, and using Microsoft Internet Explorer 4.0 or higher (5.0 or higher is best, given its more robust certificate import/export capabilities). There may be other Certificate Authority-specific requirements so do your pre-enrollment research carefully.

4. Apply online for a digital certificate, while on your code signing PC.
   
   Apply for the digital certificate using your code signing PC. Do *not* switch or upgrade PCs, operating systems, or browsers in the midst of the enrollment process. If you do you'll have to start over again and cough up another enrollment fee.
   
   You'll get a private key during the enrollment process. You should store the master copy of the private key on a removable media (floppy disk, Zip disc, whatever suits you) in a highly secure place like a safe deposit box, and keep a backup copy handy but equally secure.

5. Pick up your digital certificate using your code signing PC.
   
   Upon approval by the Certificate Authority, pick up the digital certificate using your code signing PC.

6. Turn on timestamping on your code signing PC.
   
   Be sure to timestamp your digital signatures. The precise technique for doing so varies from one Certificate Authority to the next. By timestamping, the software behind digital certificates can verify that a particular signature was applied while the certificate was still valid, meaning, before its one-year expiration date.
   
   Annoyingly, there is only one way to be certain that a file was successfully timestamped when you sign it. You must watch your modem lights (or firewall activity indicator) for a brief flurry of communication between your PC and the timestamping server at the moment that the digital certificate is applied (see next step). There is no user interface or properties sheet for a file to indicate that its digital signature has been timestamped.
   
   New Tool: PRIME TimeStamper
   Shameless plug coming! Our firm PRIME Consulting Group, Inc. has developed a tool called PRIME TimeStamper that completely relieves the Office developer of the time-consuming hassle involved in turning timestamping on and off. Ideally, you want to turn timestamping on only once when you do the final compile for a project. Even on a high-speed Internet connection, every time you save an Office VBA project with timestamping turned on, the save operation can take longer than you'd like to wait. (That's the nature of getting the timestamp from the authority's server.) PRIME TimeStamper works in both Office 2000 and the latest beta of Office 10 (also known as Office 2002). For more information about PRIME TimeStamper, or to purchase your copy now (covered by our lifetime money-back guarantee), click here.
   
   

7. Run the PVK Digital Certificate Files Importer on your code signing PC.
   
   This tool (a stand-alone executable file called PvkImprt.exe) allows you to import the PVK and SPC components of your digital certificate into your personal certificate store. This is an elaborate way of saying into your Registry. For more information, click here.
   
   If you skip this step, when you sign an Office VBA project your digital certificate won't persist and you'll be left scratching your head as to why the signature keeps disappearing.

8. Sign the Office files that store your code using your code signing PC.
   
   Make sure you're connected to the Internet. Assuming the file is a Word template, open the template, start Word's Visual Basic Editor, and select the template's VBA project in the Project Explorer. Now select Tools, Digital Signature, Choose, select your company's digital certificate from the list, OK, OK. Save the Word template. Once saved it has been signed and timestamped.

9. Test the signed file on any PC.
   
   Notice that you can test on any PC, not just your code signing PC. Set Word's macro security level to High, close Word, restart Word, and open the signed template. If this is the first time this PC has ever opened a file digitally signed by your company's digital certificate, you'll see a Security Warning prompt. After setting this trust level, whenever you open that template on this PC--even with a High macro security level setting--there will be no macro warning dialog and the code behind the template will be silently enabled, as it *should* be for an add-in from a trusted source.

What happens if you don't timestamp a project? Try it: digitally sign but do not timestamp a test project, advance your system clock to a time beyond one year from the date of your digital certificate's issuance, and open the project. The resulting Security Warning dialog will state, "A certificate (signing or issuer) has expired." If you click the Details button, the Certificate dialog appears and its General tab will report, "This certificate has expired or is not yet valid." So to test your signed and timestamped project, advance your system clock as previously described and open your project; it should behave normally, that is, no Security Warning dialog.

Your Certificate Authority will provide you with the necessary tools and instructions to sign a file other than an Office document.

There is a user interface for verifying the digital signature of a non-Office file: right-click the file in Windows Explorer, choose Properties, then click the Digital Signatures tab. Annoyingly, there is no such tab for Office document files. See the figure below.

A parting tip... to read the Microsoft Office 2000 Macro Security white paper, click here.

You can reach Lee Hudspeth at:
leehudspeth@TheNakedPC.com

Return to Top