Ask a new question

Why should I digitally sign my macros?

Hi,

I have created a certificate, placed it in the Trusted Root Certification Authorities folder, and signed my macro project with it. Since the code will be distributed within my company, security by means of a digital certificate has been asked for.

I tested this on a virtual machine on my laptop. The macro security settings in Word are set to "Disable all macros except digitally signed macros". But when I load the template with the macros, the notification bar appears, stating that my macros have been disabled. This is not the case when I put the template in a trusted location.

I messed with the project's code, and a message box popped up that forced me to choose between not saving the template, or removing the digital signature. Yes! I chose the latter. After restarting Word, however, the macro appears to run smoothly with no warning whatsoever - this is of course due to the trusted location. I have an AutoExec macro in the project that displays a "Welcome" userform, and the form shows up. It would be nice if in this case "Disable all macros except digitally signed macros" somehow had priority, but no.

And.

Users may activate templates (.dotx) by means of buttons in a custom ribbon; doing so once again displays the notification bar stating that certain active content has been disabled. Huh? None of the templates contain active content. Furthermore, when I look under Home | Info, I find that "certain active content" in fact has been disabled in my project template. Still, the AutoExec macro runs.

Two questions (of which A is by far the most important):
A: What do I gain by having my code signed?

B: When I wanted to sign my code again, my certificate was not shown any longer. Why is that? Removing and reinstalling the certificate did not help.

Thank you,

Cooz

Anyone?

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Not my area of expertise, but I believe that your certificate would have to be pushed to the TRCA folder of all users. At a previous company, our IT dept created a certificate for our department and then silently rolled the certificate out so internal users would not be asked to enable our macros.

If your test virtual machine did not have the appropriate copy of the certificate in the TRCA folder, then this sounds like the behavior I would expect- you wouldn't want to auto-open every document that is signed, just the ones signed by someone you trust (per the TRCA list)

So one benefit of a digital signature is that it is more convenient for users with your certificate loaded. You can also use that certificate to sign different files, or new versions of your old file without triggering new permissions alerts.

Unfortunately I can't speak to the certificate management process, or why you aren't seeing your own certificate.

HTH

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Keith,

Thank you for replying.

"I believe that your certificate would have to be pushed to the TRCA folder of all users." This was the case: in my test, I was the only user, and I had the certificate in the TRCA folder.

"If your test virtual machine did not have the appropriate copy of the certificate in the TRCA folder, then this sounds like the behavior I would expect" - indeed, but it did.

I will advise not to use a digital certificate, but to implemenent security only by means of password protecting the code, and placing the template in a trusted location. If users only have read permissions on this location, no one can alter the code even when they have the password.

In my humble opinion, this should be safe enough - but am I seeing the whole picture here? I mean, is there anything a digital certificate has to offer in addition? If I set my project up like in the previous paragraph, there aren't any security risks, I won't have to deal with the strange behavior I mentioned, and I can be sure the code runs without warnings or messages. What am I overlooking?

Can you - or anyone - comment on this?

Thank you,

Cooz

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated August 22, 2022 Views 998 Applies to: