This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 24%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
I have setup Azure Trusted Signing, and everything has worked fine for the dll, exe, and msi files I've needed it for. However we have some Word Template files that contain macros that our customers require to be digitally signed, and I have not been able to successfully sign them using the Azure method.
I attempted using the command: signtool.exe sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib C:\CodeSigning\bin\x86\Azure.CodeSigning.Dlib.dll /dmdf C:\CodeSigning\metadata.json "C:\file.dotm"
initially it complained that the file type was unsupported, so I followed the instructions for installing the Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects : https://www.microsoft.com/en-us/download/details.aspx?id=56617
Now when I run the above command, it does say its successful "Signing completed with status 'Succeeded' in 2.6279078s", however when I do a signtool.exe verify C:\file.dotm, it says there is no signature found. And indeed when I open the word template and look at the Digital Signature setting it says [no certificate].
Can anyone help me here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Azure Trusted Signing only supports file types supported by Signtool.exe - https://learn.microsoft.com/en-us/azure/trusted-signing/faq#what-types-of-files-can-we-sign-by-using-trusted-signing
Trusted Signing does not support signing macros.
This is true, but support can be added to signtool for office files using the Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects : https://www.microsoft.com/en-us/download/details.aspx?id=56617
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 47%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I've just been through this with Microsoft's Premier support and the Office SIP product group. Essentially, the Office SIP dll's don't support digest signing capability via Signtool. Signtool uses digest signing to communicate with the Trusted Signing service. The feedback I received from the Office SIP product group was that Microsoft was not investing any additional resources into developing components of the VBA macro ecosystem. So they flat out denied my feature request to enable support for Trusted Signing integration. The only viable alternative I've found is to get a Code signing certificate hosted within an Azure KeyVault and use AzureSigntool which apparently works. However with the current industry standard requiring code signing certs to hosted on FIPS 140-2 appliances and most vendors we deal with requiring attestation files for this verification, I'm not sure how long, the other vendors will accept "good faith" as part of the issuing process. So very disappointed in MS on this. We would have liked to use this process to capture our existing Macro's and their developers, and use it as a gatekeeping process to migrate to Office Scripts.
Thank you for sharing your experience, nice to know I wasn't the only one struggling. We ended up having to purchase a certificate from Digicert.