Code-signed macros in template expiring

[Paul Herber]

Hi everyone,
all of my Visio application templates and add-ons are digitally signed
witha code-signing certificate. Now, the certificates have a limited
life for signing and have to be renewed, or rather, a new certificate
has to be purchased, the old certificate expires.
This is not a problem when .exe or .vsl files have been signed as the
timestamp that can be created within the signed code prevents the
application from expiring, i.e. once it's signed it stays signed.
However, with code signed macros in templates, stencils or documents
it's a very different matter, there is no timestamp, hence, the signed
code expires.
Anyone who has created a drawing based upon a template that has now
expired sees a warning message that the certificate has expired and
that the macros will not be able to be run. The only option is to
lower the macro security level to Low, not an option in many
corporations and certainly not acceptable.

How can macros be signed such that they don't expire?
Even if this is possible I have many customers with documents that now
have expired code-signing. What can be done about this?

 

[JuneTheSecond]

Global Sign has certificate with and without time stamp.
But I don't know exactly what is the difference.
Microsoft is recommending code sign for VBA security,
so any way we need more detail information from
both Microsoft and Certificate companies.

 

[Paul Herber]

Global Sign has certificate with and without time stamp.
But I don't know exactly what is the difference.
Microsoft is recommending code sign for VBA security,
so any way we need more detail information from
both Microsoft and Certificate companies.

It's not that, you use signtool with various options to sign normal
code (exe, dll etc) and there is a timestamp option to add a timestamp
to the files, it's just for vba macros there is no timestamp option.

Not only does it defeat the whole object of having signed code but it
even makes it worse. Unsigned code works just fine on Low or Medium
security, now what used to work fine is raising security errors and
not working.

Ok, Visio 2007 has the Trusted Locations feature but that's no good
for users still on earlier versions. I still support users on Visio
2003/2002/2000 and even Visio 5. Somebody has to.

 

[JuneTheSecond]

VerySign suggests users to set registry keys in
"Microsoft Office 2000/Visual Basic for Applications" a
https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR183

Though I cannot afford to buy certificate,
I strongly wish VBA may have tomorrow.

 

[Paul Herber]

VerySign suggests users to set registry keys in
"Microsoft Office 2000/Visual Basic for Applications" at
https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR183

Though I cannot afford to buy certificate,
I strongly wish VBA may have tomorrow.

I can't get timestamping to work at all with my certificate, even for
exe, dll and vsl files. I get error 0x80004005
SignTool Error: ISignedCode::Timestamp returned error: 0x80004005
Unspecified error
SignTool Warning: Signing succeeded, but an error occurred while
attempting to timestamp: jsd.vsl


And how on earth did you find that about the registry keys!!! I've
never seen that mentioned anywhere before. I doesn't make any
difference at the moment perhaps because of the above problem.


Incredible though, asking the certificate supplier about why this
0x80004005 error occurs and whether I have my command line correct I
get the reply:
"In order to sign your code, you pass the code which you want to
authenticate through a hashing algorithm and then use your private key
to sign the hash, which results in a digital signature. You then build
a signature block, which contains the digital signature and the
code-signing certificate.
Tools like Authenticode let you time stamp the signature block based
on the current date and time that a time stamping service provider,
such as *****, provides. Finally, you bind the time stamped signature
block to the original software. Now you can publish the signed
software on your Web site for download."

Which might well be 100% technically correct but as useless as a
useless thing to a useless person. When asked what it means I get the
response:
use "signtool.exe sign /f c:/cert.pfx /p Password /v /t
http://timestamp.comodoca.com/authenticode jsd.vsl"

Well, thank goodness for that, there is nothing like being told to use
the exact command line that generates the error.

 

[Nikolay Belyh]

We are using the comoda certificate as well.
Sometimes (once a week) the signtool also fails to timestamp due to
timeout (?), but basically everything works just fine... The command
line used is exactly as yours.
Maybe this can be some odd network/anti-virus program issue?

 

[Paul Herber]

We are using the comoda certificate as well.
Sometimes (once a week) the signtool also fails to timestamp due to
timeout (?), but basically everything works just fine... The command
line used is exactly as yours.
Maybe this can be some odd network/anti-virus program issue?

Not that I can see, turning off the firewall makes no difference.
The signing part works but not the timestamp part.

 

[Paul Herber]

I can't get timestamping to work at all with my certificate, even for
exe, dll and vsl files. I get error 0x80004005
SignTool Error: ISignedCode::Timestamp returned error: 0x80004005
Unspecified error
SignTool Warning: Signing succeeded, but an error occurred while
attempting to timestamp: jsd.vsl

A touch of success, I had XP SP1 on the computer doing the signing,
even though the Windows SDK from whence came SignTool states that SP1
is OK, it seems that SP2 is required for timestamping. Having
installed SP2 timestamping now works for exe, dll and vsl files!

But, even with JTS's registry modifications I can't seem to get a
timestamp into vst files.

Has anyone succeeeded?

 

[JuneTheSecond]

I have studied about time stamping on VBA macro
reading through documents in web site that include
Microsoft and the certification suppliers.
My conclusion is next 2 points.
1. To enable time stamp the previoussetting of
registry must be done.
But I dont find the registry mentioned
in the document, either. I don't know how can I
make the registry. My idea is to use like a ORCA,
but I have not yet tried. And I think why they
suggest such unsafe operation to the users.
The organaization nervous to the security might
never approve such unsafe opertion.
2. It is written in those documents that, even if the
certification is expired, users can verify that
the signature was applied while the certificate
was still valid. They said no more than that.
I thought that, if users set the security level lower,
user can open the macro with warning messages,
but I cannot try it, because I cannot buy the certification.
Who can approve such unsafe operation?

Addtion:
VBA has tommorow?
I strongly wish VBA may have tommorow.

 

[Paul Herber]

but I cannot try it, because I cannot buy the certification.

I've emailed you privately about this. I'll deal with the rest over
the weekend.

Who can approve such unsafe operation?

Medium security is fine, the user is asked whether to run the macros.
I've got a pile of customers happily using Low, as they have other
macros and addons that aren't signed and never will be.

 

[JuneTheSecond]

Did you checked here?
http://timestamp.comodoca.com/authenticode
On te page it is written that
"Welcome to the C·O·M·O·D·O· CA Authenticode
Timestamping Service.
To use this service, please run the Microsoft
Authenticode signature utility called either
signcode.exe or signtool.exe.
When the signature utility prompts you for a
"Timestamp service URL", enter
http://timestamp.comodoca.com/authenticode
in the space provided."

Ksoftwre suppliies code sign in the best cost.
I am appreciating your kind suggestion.

But for me it takes a lot of money.
And more, if you do not succeed in stamping
time on your VBA macro, I feel much fear to buy.
Even if I buy, it is at least after a year that I can
check the time stamp is still valid and my macro
is still alive.

I deeply hope your success.

 

[Nikolay Belyh]

I thought that signing a VST file is not possible.. Is it?
How did you manage to sign it (even without timestamping)?

AFAIK you can sign only files that support signing,
i.e. EXE,DLL,MSI, and XML files...

Kind regards, Nikolay.

 

[Paul Herber]

I thought that signing a VST file is not possible.. Is it?
How did you manage to sign it (even without timestamping)?

AFAIK you can sign only files that support signing,
i.e. EXE,DLL,MSI, and XML files...

Hi Nikolay.
In any Visio file (vsd, vst or vsl), open the VBA editor and
menu Tools -> Digital Signatures

 

[Nikolay Belyh]

I see.
Have tried that for myself just now, we also
have chosen COMODO cert (as the least overpriced one ;-)
So,

- I have created the following registry keys
(below is the content of exported reg file):

[HKEY_CURRENT_USER\Software\Microsoft\VBA\Security]
"TimeStampURL"="http://timestamp.comodoca.com/authenticode"
"TimeStampRetryCount"=dword:00000005
"TimeStampRetryDelay"=dword:00000005

- Opened VBA, then Tools -> Digital Signatures, selected our pfx.

- Saved the file.

The timestamping seem to succeed... (I suppose Visio
timestamps files on saving, since saving process took
a bit longer than usual).

To check that, I have opened that file again.
Visio asked about macro security and displayed
the following info:

http://pix.academ.org/img/2008/06/23/9d053c0f9fe622e2d2632ddd59ce7003

My environment: Windows XP SP3 (RU), Visio 2007 Pro (EN)

 

[Paul Herber]

I see.
Have tried that for myself just now, we also
have chosen COMODO cert (as the least overpriced one ;-)
So,

- I have created the following registry keys
(below is the content of exported reg file):

[HKEY_CURRENT_USER\Software\Microsoft\VBA\Security]
"TimeStampURL"="http://timestamp.comodoca.com/authenticode"
"TimeStampRetryCount"=dword:00000005
"TimeStampRetryDelay"=dword:00000005

- Opened VBA, then Tools -> Digital Signatures, selected our pfx.

- Saved the file.

The timestamping seem to succeed... (I suppose Visio
timestamps files on saving, since saving process took
a bit longer than usual).

To check that, I have opened that file again.
Visio asked about macro security and displayed
the following info:

http://pix.academ.org/img/2008/06/23/9d053c0f9fe622e2d2632ddd59ce7003

My environment: Windows XP SP3 (RU), Visio 2007 Pro (EN)

But what about the expiry of the signing?
Try setting your PC clock to the day after the certificate expires.

 

[Nikolay Belyh]

Have set the clock to 23.06.2011
(three years ahead. Certificate expires in 2010)
No difference. I.e. I'm getting exactly the same warning from Visio.
If I allow adding publisher to trusted publishers, no warnings
anymore.

It seems that signature itself did not expire.
Though the ability to sign with the certificate did.
I.e. if I set current date to 2011 then I can't sign using
this certificate anymore (signtool complains that
"certificate is not valid for signing")

If I set the date back to current then signing succeeds.

 

[Nikolay Belyh]

Have checked one more thing. I have removed all the stuff
from registry, and signed VB project once more.
(i.e. without timestamping).

In this case when I set current date to 2011,
Visio does complain about expired certificate:

http://pix.academ.org/img/2008/06/23/5f753f56b674fcc22354abc48e6f1fc3

So this might mean that you can consider installing SP3...
(just kidding... or not?)

The exported REG file:
http://nbelyh.googlepages.com/reg.zip

Kind regards, Nikolay.

 

[Nikolay Belyh]

That's right, the timestamping is done according
to provider's clock, but when I _open_ the signed file,
then my clock is taken into account.

So this "test" was about, how the _signed file_
will behave after the certificate expiration, actually..

So the "conclusions" are, that if the file was timestamped,
it will behave OK even after certificate expiration;
however if the file was not timestamped, then it will be
considered as "flawed" after certificate expiration.

So now we came to understanding of Paul's first question... ;-)
But I should say that your "registry patch"
worked just fine for my machine (I have just replaced the
VeriSign's timestamping url with COMODA's timestamping url)

 

[Paul Herber]

That's right, the timestamping is done according
to provider's clock, but when I _open_ the signed file,
then my clock is taken into account.

So this "test" was about, how the _signed file_
will behave after the certificate expiration, actually..

So the "conclusions" are, that if the file was timestamped,
it will behave OK even after certificate expiration;
however if the file was not timestamped, then it will be
considered as "flawed" after certificate expiration.

So now we came to understanding of Paul's first question... ;-)
But I should say that your "registry patch"
worked just fine for my machine (I have just replaced the
VeriSign's timestamping url with COMODA's timestamping url)

Well, suddenly it all seems to be working correctly. I would be
grateful if someone could download one/any of my add-ons (address in
sig, below) and tell me whay expiry characteristics they see.
Many thanks for your assistance.

 

[Nikolay Belyh]

According to my Visio, files (SanDriLa.vst and SanDri_La.vsl)
are both signed and timestamped 26 June 2008.

Kind regards, Nikolay