Azure Trusted Signing, how can I digitally sign a VBA macro

Ryan Schmitz 5 Reputation points
2024-09-09T14:54:27.9933333+00:00

I have setup Azure Trusted Signing, and everything has worked fine for the dll, exe, and msi files I've needed it for. However we have some Word Template files that contain macros that our customers require to be digitally signed, and I have not been able to successfully sign them using the Azure method.

I attempted using the command: signtool.exe sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256 /dlib C:\CodeSigning\bin\x86\Azure.CodeSigning.Dlib.dll /dmdf C:\CodeSigning\metadata.json "C:\file.dotm"

initially it complained that the file type was unsupported, so I followed the instructions for installing the Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects : https://www.microsoft.com/en-us/download/details.aspx?id=56617

Now when I run the above command, it does say its successful "Signing completed with status 'Succeeded' in 2.6279078s", however when I do a signtool.exe verify C:\file.dotm, it says there is no signature found. And indeed when I open the word template and look at the Digital Signature setting it says [no certificate].

Can anyone help me here?

Office
Office
A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.
1,769 questions
Azure Trusted Signing
Azure Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.
125 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Meha-MSFT 410 Reputation points Microsoft Employee
    2024-09-11T02:13:37.45+00:00

    Azure Trusted Signing only supports file types supported by Signtool.exe - https://learn.microsoft.com/en-us/azure/trusted-signing/faq#what-types-of-files-can-we-sign-by-using-trusted-signing

    Trusted Signing does not support signing macros.


  2. Aaron Kenah 5 Reputation points
    2024-11-17T22:46:37.26+00:00

    I've just been through this with Microsoft's Premier support and the Office SIP product group. Essentially, the Office SIP dll's don't support digest signing capability via Signtool. Signtool uses digest signing to communicate with the Trusted Signing service. The feedback I received from the Office SIP product group was that Microsoft was not investing any additional resources into developing components of the VBA macro ecosystem. So they flat out denied my feature request to enable support for Trusted Signing integration. The only viable alternative I've found is to get a Code signing certificate hosted within an Azure KeyVault and use AzureSigntool which apparently works. However with the current industry standard requiring code signing certs to hosted on FIPS 140-2 appliances and most vendors we deal with requiring attestation files for this verification, I'm not sure how long, the other vendors will accept "good faith" as part of the issuing process. So very disappointed in MS on this. We would have liked to use this process to capture our existing Macro's and their developers, and use it as a gatekeeping process to migrate to Office Scripts.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.