Is it possible to sign a Excel VBA project including timestamp?

Question

I sign VBA code in Excel files automatically with digital signature, which works well using X509Certificate2 and EPPlus. Now I want to include a timestamp, any idea where i could set this?

If I sign the code manually in VBA Editor - Tools - Digital Signature, the code is well signed with timestamp (and countersignature). So it remains valid when the cert of the signing person has expired. But when signing with EPPlus is doesn't. In ExcelVBASignature.cs it looks as this function would be prepared yet..

Here's how I do it so far:

using System;
using System.IO;
using OfficeOpenXml;
using System.Security.Cryptography.X509Certificates;
...
X509Certificate2 cert = new X509Certificate2 ( PFXfile, PFXpass, X509KeyStorageFlags.PersistKeySet );
using ( ExcelPackage xl = new ExcelPackage ( new System.IO.FileInfo ( Excelfile ) ) )
{
    using ( ExcelWorkbook wb = xl.Workbook )
    {
        wb.VbaProject.Signature.Certificate = cert;
        xl.SaveAs ( new System.IO.FileInfo ( TargetPath ) );
    }
}

Is `Certificate.HasPrivateKey` true? Seems to be that it will not work if not. — Ernie S, Jul 13 '19 at 01:09
Yes, it has. I requested the certificate from my CA with the option "Make private key exportable". — Rigazoni, Jul 15 '19 at 11:15

score 14 · Accepted Answer · answered Jul 15 '19 at 12:07

14

My request could be solved using Microsoft SignTool instead of EPPlus:

I use Microsoft SignTool (from Microsoft Windows 10 SDK) with the Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects.

Detailled Information:

Download and install the SDK.
The folder including signtool.exe is e.g. C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86
Be sure to use the x86 Folder.
Download and extract the SIP Package.
Read and follow the contained file readme.txt
Choose your preferred parameters and options of signtool.exe

Example: With the following command the VBA-Code inside the Excel file is signed with a countersignature using the certificate file including a private key. The Excel workbook itself will not be signed.

signtool.exe sign /f "CertificateFile.pfx" /p "P@ssw0rd" /fd "SHA256" /tr "http://rfc3161timestamp.globalsign.com/advanced" /td "SHA256" "D:\ExcelFileWithVBA.xlsm"

answered Jul 15 '19 at 12:07

Rigazoni

209
2
9

1

One additional remark: If you don't want the certificate's password to be part of the command, you could instead (1) determine it's thumprint in the PowerShell with Get-PfxCertificate my.pfx (2) import the certificate into your local cert store and (3) replace the /f and /p parameters with /sha1 – Michael Schmeißer Jun 21 '22 at 11:36
1

This doesn't work for me. Does SignTool.exe work with office files? The error is "An error occurred while attempting to sign: D:\ExcelFileWithVBA.xlsm. This file format cannot be signed because it is not recognized." – SF Lee Oct 10 '22 at 23:22
1

I followed these instructions today and it worked for me @SFLee. you probably have no registered the dll as per the readme, or are not using the x86 signtool – dten Oct 27 '22 at 12:22
@SFLee also make sure you regsvr32.exe msosipx.dll in admin right – Frank Myat Thu Nov 04 '22 at 02:53
I have been using the VBA signer for *many* years. However, My timestamped cert just expired and customers are complaining that the software stopped working. A new VBA bug in Excel? – Tuntable Jul 27 '23 at 03:26

Is it possible to sign a Excel VBA project including timestamp?

1 Answers1

Linked