Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign VBA project #126

Open
rfcdejong opened this issue Mar 29, 2021 · 16 comments
Open

Sign VBA project #126

rfcdejong opened this issue Mar 29, 2021 · 16 comments

Comments

@rfcdejong
Copy link

Can AzureSignTool sign VBA macro projects inside word, excel, etc?

Microsoft Signtool allows it when there is a special SIP package installed
https://stackoverflow.com/a/57039432/578552
@rfcdejong
Copy link
Author

After reading into what VBA signing is, I figured out that Signing a VBA file is in fact done by SignedCms. Looking at the source from EPPlus I found that it is doing it that way.
https://github.com/EPPlusSoftware/EPPlus/blob/96a7ac124515c41ce6336a64ed377549300d440a/src/EPPlus/Vba/ExcelVBASignature.cs#L263

Except that we do not have a private key, the azure key vault has. So perhaps this issue is related
dotnet/runtime#24707

And implemented into .net core 3.0 and newer
dotnet/corefx#29219

Any idea's to support SignedCms inside AzureSignTool? Or am I missing something?

@akamisarau
Copy link

Hi,
Any updates there?
There is a need to sign VBA macros xlsm using AzureSignTool, but it does not work (tried both 2.0.17 and 3.0.0 versions)
fail: AzureSignTool.SignCommand[0] The file cannot be signed because it is not a recoginized file type for signing or it is corrupt. fail: AzureSignTool.SignCommand[0] Signing failed with error 800B0003.
With signtool from Windows SDK it works after adding appropriate SIP.
image
Could you please help?

@Mavranic
Copy link

Just wanted to add my name to this. As above. Would be great if this could be resolved.

@ABNOTECHGuy
Copy link

Need this functionality urgently. Government contract. Cert is an EV HSM-RSA AzureKeyVault cert.
Currently useless for signing document macros.

@vince-hardwick
Copy link

Adding my voice to the above, urgent need to sign VBA project in a local .xlsm file.

As of recently, our certificate provider no longer allows their standard code signing certificates to be exported as a .pfx file, in order to comply with CA/B changes to improve private key protection:

https://support.globalsign.com/code-signing/new-requirements-related-private-key-protection-codesigning-certificates

We are therefore unable to install the certificate on any machines, and can only apply digital signatures to VBA projects in .xlsm files using the FIPS 140‐2 Level 2 compliant secure USB token onto which the certificate has been installed... which can obviously be used by only one person at a time, and is therefore a single point of failure. This is particularly problematic given that I am that one person/SPoF, and I am a remote worker!

As noted by @akamisarau above, I'm just getting the following when I try AzureSignTool from cmd:

image

Please could you provide an update on progress with this much-needed functionality, thanks.

@namazso
Copy link

namazso commented Jul 10, 2023

I can confirm this is at least possible, I got a PoC working (not based on AzureSignTool though)

@jozefizso
Copy link
Contributor

Is there a call at which can be hooked? Because when I used the API Monitor and the SIP was signing data the process behaved differently then signtool doing MSI/EXE/DLL files.

And I wasn't able to find hook for that process.

@namazso
Copy link

namazso commented Jul 10, 2023

Hooking is not necessary, you can simply just use the /dlib of signtool. While realizing this took me way too much time, it turns out the author of this repo has a blogpost on it as well as a rust implementation. It's almost identical to my C++ solution.

@namazso
Copy link

namazso commented Jul 11, 2023

I also posted my C++ implementation of essentially the same thing: https://github.com/namazso/AzuKI

Using the x86 signtool and x86 build following the earlier stackoverflow answer can correctly sign various office files with VBA. Not sure if they're supposed to be visible or have any effect (it still gets blocked by Excel), but it passes signtool verify.

@rwsdwatson
Copy link

Ahh yes I too would like this facility.
I read the main page about it honouring sips and thought it would work.

@danguetta
Copy link

Adding my voice to this request, as well as a hearty thank you to everyone who has worked on this repo :-) I don't think I have the skills to do this myself, but if someone can talk me through the outlines of what would be required, happy to try and do the work...

@connorburgessM4A
Copy link

Adding my name to this.
Would be great if this could be resolved.

@m-puolitaival
Copy link

Adding another interested party for this feature.

@georg-jung
Copy link

georg-jung commented Mar 20, 2024
edited
Loading

It is already possible to sign xlsm/... files with AzureSignTool. Thanks @vcsjones for the great work!

Microsoft Signtool allows it when there is a special SIP package installed

So does AzureSignTool. The important point here is that the Office SIPs are x86/32bit only and modern .NET apps tend to execute as 64bit.

This works for me:

  1. Install Office SIPs according to the included readme
  2. Execute in a shell
git clone https://github.com/vcsjones/AzureSignTool.git
cd AzureSignTool/src/AzureSignTool
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
  • It is actually required to run the same command 3x, to first create a legacy signature, then an agile signature, then a V3 signature. See readme of Office SIPs.
  1. signtool verify /pa D:\signtest.xlsm returns
File: D:\signtest.xlsm
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: D:\signtest.xlsm

@danguetta
Copy link

danguetta commented Mar 28, 2024
edited
Loading

EDIT: it looks like I solved the problem below.

The problem is that the Regsvr32 step required to install the SIP doesn't "stick around" - it needs to be run in the same terminal session as the actual signtool. In particular, if you're using github actions to do this, it needs to be run in the same run command

First off, thanks so much for adding this feature! I tried all the steps, but unfortunately I'm getting this error:

Signing failed with error 800403F4.

I tried to follow the instructions here and use an older version of the C++ redistributables, but to no avail - same error.

Any idea what might be going on? The error message is somewhat cryptic...

Thanks so much!

Full output:

trce: AzureSignTool.SignCommand[0]
Retrieving certificate ***.
trce: AzureSignTool.SignCommand[0]
Retrieved certificate ***.
trce: AzureSignTool.SignCommand[0]
Creating context
info: AzureSignTool.SignCommand[0]
=> File: macro_file.xlsm
Signing file.
trce: AzureSignTool.SignCommand[0]
=> File: macro_file.xlsm
Getting SIP Data
trce: AzureSignTool.SignCommand[0]
=> File: macro_file.xlsm
Calling SignerSignEx3 with flags: SIGN_CALLBACK_UNDOCUMENTED
fail: AzureSignTool.SignCommand[0]
=> File: macro_file.xlsm
Signing failed with error 800403F4.
info: AzureSignTool.SignCommand[0]
=> File: macro_file.xlsm
Stopping file signing.
info: AzureSignTool.SignCommand[0]
Successful operations: 0
info: AzureSignTool.SignCommand[0]
Failed operations: 1
Error: Process completed with exit code 2.

@m-puolitaival
Copy link

It is already possible to sign xlsm/... files with AzureSignTool. Thanks @vcsjones for the great work!

Microsoft Signtool allows it when there is a special SIP package installed

So does AzureSignTool. The important point here is that the Office SIPs are x86/32bit only and modern .NET apps tend to execute as 64bit.

This works for me:

  1. Install Office SIPs according to the included readme
  2. Execute in a shell
git clone https://github.com/vcsjones/AzureSignTool.git
cd AzureSignTool/src/AzureSignTool
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
  • It is actually required to run the same command 3x, to first create a legacy signature, then an agile signature, then a V3 signature. See readme of Office SIPs.
  1. signtool verify /pa D:\signtest.xlsm returns
File: D:\signtest.xlsm
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: D:\signtest.xlsm

I can confirm that these instructions did the trick for us.

@j-laemmermann j-laemmermann mentioned this issue Jun 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests