Digital code signing (e.g. Thawte). Anyone do this?

[tpoynton]

Greetings,

I'm considering buying a 'VBA developers certificate' to digitally sign VBA code, and was just wondering if anyone uses digital code signing for their VBA projects. I havent considered it before because I pretty much only distribute one add in, as xla, via a website. If installed 'manually', no scary sounding MS warnings appear. Now I've got Johnske's automated installer working just fine, and I like it...except for the security warning. I've been doing some testing of the installer with users, and they dont know how to handle the warning and follow MS's recommendation to disable macros...which isnt a terrible thing in the big picture (in spite of documentation/instructions telling people what to do, and why it's safe). Also, even when people follow the instructions to temporarily lower security from high to medium, some fail to close and reopen excel for the security settings to take effect...and I get an email

To answer a questions you may have...Why not go the exe route? a good # of users are mac users, and (when distributed as xla anyway) administrator rights are not typically needed to install, which is good for use in computer labs/classrooms (i've only heard of one mac computer lab that couldnt install 'manually' via xla). Why not have users do (whatever)? well, all my add in does is provide a UI for a lot of data analysis things Excel does anyway...so a good # of users are not really 'excel users'. The add in is also free, so making enough money to justify the cost of the signing isnt going to happen...I make enough from google ads on my site to cover webhosting, but that's about it. However, 'for the greater good', I might bite the bullet and do this.

I thought I'd see what people thought. I've searched the forum and have only seen it mentioned as being ridiculously expensive (300 bucks a year from Thawte). There is an interesting thread on makecert from two years ago which might be good for some of people here...

I've emailed Thawte twice with some other questions I had with no answer, which I might ask if people here do this kind of digital code signing.

[mdmackillop]

I hadn't seen that post. It looks interesting.

[Ken Puls]

I'd forgotten about it, myself...

I can't find the file on this PC (running Vista with both Office 2003 and 2007). I'd be curious to hear more about it though...

[tpoynton]

Thought I'd quickly share my experiences with purchasing, and initially using, a digital code certificate from Comodo.

First, the process is not well documented on their website for buying a certificate to sign VBA projects. Support was very good, however, and reissued the certificate three times (maybe 4) for me until I got it right.

An issue not discussed on the Comodo site at all is timestamping in the VBE, which ensures code you sign does not expire when your certificate does. You need to create three registry values, documented here . I had to set the retrycount and delay reg values to 5 to get it to work. Thawte and Verisign have better office-specific documentation that Google finds pretty quickly when searching for terms related to using a certificate.

My impressions? I bought the cert mostly to sign an installer xls file for an add in...and it doesnt really change the user experience that much. If people have their macro security set to high, you can 'trust the publisher' and enable macros without having to change your security setting, which is a bonus. for people with very high or medium settings, the user experience isnt really all that different. Code signing is a 'nice' thing to do, I suppose.

Where digital signing could be really useful is if you are distributing code in a workbook (as opposed to an add in, as I typically do). If you select 'trust this publisher' and enable macros when you first open a signed workbook, the message will never appear again. While not tested, it also seems that if you open other workbooks by the same publisher, the enable macros dialog will never appear.

I read in a few places that if you enable timestamping, it significantly slows the save process in the VBE. I have not found that to be the case. What is very slow is opening a signed workbook the first time - ostensibly, the digital signature is being checked, but I'm not sure.

All that said, enabling macros is but one click...in 2007, however, getting inexperienced users to enable macros is tougher because the security warning just isnt in your face like it is in prior versions, which seems odd given MS's other 'progress' in the security arena (e.g., UAC)

My two cents.

[Ken Puls]

Where digital signing could be really useful is...

Another one to add to this list... If you're developing code for clients, it is a way to figure out if the user has tampered with your code. If the signature is intact, you know it is still in the state you shipped it to them. If not...

[austenr]

Are we talking about the certificate you can sign that malcommb wrote a KB about?

[tpoynton]

Not exactly; Malcolm is talking about signing code for yourself, for use on your own computer. what I'm talking about here is a certificate you purchase to sign code with for larger distribution - see this for a link to the place I purchased, and here is another place that provides a description of what it is and perhaps how it's different than self signing...

Edit: Ken, didnt see your post! Indeed, knowing the file has not been tampered with is another important feature of digital code signing...in fact, it may be the best one for files distributed via the Internet!