Share via

Azure Trusted Signing, how can I digitally sign a VBA macro

Ryan Schmitz 10 Reputation points
2024-09-09T14:54:27.9933333+00:00

I have setup Azure Trusted Signing, and everything has worked fine for the dll, exe, and msi files I've needed it for. However we have some Word Template files that contain macros that our customers require to be digitally signed, and I have not been able to successfully sign them using the Azure method.

I attempted using the command: signtool.exe sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib C:\CodeSigning\bin\x86\Azure.CodeSigning.Dlib.dll /dmdf C:\CodeSigning\metadata.json "C:\file.dotm"

initially it complained that the file type was unsupported, so I followed the instructions for installing the Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects : https://www.microsoft.com/en-us/download/details.aspx?id=56617

Now when I run the above command, it does say its successful "Signing completed with status 'Succeeded' in 2.6279078s", however when I do a signtool.exe verify C:\file.dotm, it says there is no signature found. And indeed when I open the word template and look at the Digital Signature setting it says [no certificate].

Can anyone help me here?

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Artifact Signing
Artifact Signing

A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aaron Kenah 10 Reputation points
    2024-11-17T22:46:37.26+00:00

    I've just been through this with Microsoft's Premier support and the Office SIP product group. Essentially, the Office SIP dll's don't support digest signing capability via Signtool. Signtool uses digest signing to communicate with the Trusted Signing service. The feedback I received from the Office SIP product group was that Microsoft was not investing any additional resources into developing components of the VBA macro ecosystem. So they flat out denied my feature request to enable support for Trusted Signing integration. The only viable alternative I've found is to get a Code signing certificate hosted within an Azure KeyVault and use AzureSigntool which apparently works. However with the current industry standard requiring code signing certs to hosted on FIPS 140-2 appliances and most vendors we deal with requiring attestation files for this verification, I'm not sure how long, the other vendors will accept "good faith" as part of the issuing process. So very disappointed in MS on this. We would have liked to use this process to capture our existing Macro's and their developers, and use it as a gatekeeping process to migrate to Office Scripts.

    1 person found this answer helpful.
  2. Meha-MSFT 1,380 Reputation points Microsoft Employee Moderator
    2024-09-11T02:13:37.45+00:00

    Azure Trusted Signing only supports file types supported by Signtool.exe - https://learn.microsoft.com/en-us/azure/trusted-signing/faq#what-types-of-files-can-we-sign-by-using-trusted-signing

    Trusted Signing does not support signing macros.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.