12

Is there a way to automate code signing a VBA project in a Word 2003 and/or Word 2007 document?

By automate I mean via a command line utility or via Word VBA automation?

Motivation: I would like to code sign several Word templates as part of an automated daily build and distribution cycle. Right now we have to do this manually by opening each document in Word and resigning.

Thank you, Malcolm

Malcolm
  • 5,125
  • 10
  • 52
  • 75
  • 1
    Start with a signed base template, make needed modifications, and save as. This preserves the digital signature. – AMissico Mar 12 '10 at 08:33
  • I imagine you could do it through SendKeys - you'd just need to send Alt, then T, then D, then Enter. Pretty horrid way of doing things, of course, but it's always an option. – Richard Gadsden Jul 29 '10 at 14:55

4 Answers4

2

I've never seen a way to do this. I had an automated build of a template years ago and at the end I popped up a message box saying "you have to go sign the template now" and then opened VBA for them. Just saying I feel your pain I guess.

Tom Winter
  • 1,813
  • 3
  • 18
  • 23
  • 1
    Thanks for the thoughts Tom (misery loves company). I'm shocked that there doesn't seem to be a way to do this. I'm continuing to search on my own, independently of this post. – Malcolm Mar 11 '10 at 19:03
0

This may be worth a look: http://winbatch.com/

Sam at TVentures
  • 21
  • 1
0

For anyone coming across this question a decade later, it seems to be possible to automate signing of VBA projects using SignTool in the Windows 10 SDK as described in this Microsoft Support page. I'll quote the specific instructions here too:

  1. Download and install the Windows 10 SDK.
  2. Download Officesips.exe from Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects.
  3. To sign files and verify the signatures in files, register Msosip.dll and Msosipx.dll, and then run Offsign.bat. The detailed steps are included in the Readme.txt file in the installation folder of Officesips.exe.
  • Note: Use the x86 version of SignTool in the "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86" folder when you run Offsign.bat.

Haven't done this myself yet but likely will in the near future. I'll update this answer if I learn anything.

Matt Wanchap
  • 841
  • 8
  • 20
-2

I do not believe there is an automated way to do this because it would defeat the security of code-signing VBA Project signing.

The two message digests are compared, and if any part of the file has been modified or corrupted, the digests will not match and the contents of the file can't be trusted. The verification process will fail regardless of how the file was modified - whether through corruption, a macro virus, or programmatic changes made by an add-in or Office solution. The verification process will also fail if the file wasn't signed with a valid certificate; that is, if the certificate had expired, or had been forged, altered, or corrupted. If another user modifies the VBA project, the Office 2000 application removes the current signature and prompts the user to re-sign the VBA project; if the user doesn't sign the VBA project or signs it with another certificate, the file may fail the verification process.

Inserted from http://msdn.microsoft.com/en-us/library/aa190113(office.10).aspx

Code signing has the additional level of security in the fact that a developer must compile source code. A macro is not compiled and can be distributed as text. Therefore, automating macro signing would open a large security hole. Manually siging a macro is similar to Outlook prompting the user to allow programmatic access to the address book.

AMissico
  • 21,470
  • 7
  • 78
  • 106
  • 1
    I'm not sure I buy that conclusion because I can create scripts that code sign my executables and dlls. Furthermore, when I'm signing a VBA project, all I'm doing is selecting a certificate - I'm not even being prompted for a password. – Malcolm Mar 12 '10 at 07:49
  • True, but notice that there is not automated way to set the password for a VBA project. Moreover, you are not prompted for a password because the private key is already in the certificate store. Code signing is automated because developers have to compile the code before deployment, which is a level of security. – AMissico Mar 12 '10 at 08:01
  • Besides, if a developer really wanted to automate this process, I am sure they can come up with a way since they have complete control of their machine. – AMissico Mar 12 '10 at 08:05
  • Imagine how big the possible Office security hole would be if a hacker could create "sign macros" on a target machine. – AMissico Mar 12 '10 at 08:14
  • Thank you for your patience in answering this question :) – Malcolm Mar 12 '10 at 11:41