AzureSignTool
AzureSignTool copied to clipboard
vcsjones
Sign VBA project
Can AzureSignTool sign VBA macro projects inside word, excel, etc?
Microsoft Signtool allows it when there is a special SIP package installed https://stackoverflow.com/a/57039432/578552
After reading into what VBA signing is, I figured out that Signing a VBA file is in fact done by SignedCms. Looking at the source from EPPlus I found that it is doing it that way. https://github.com/EPPlusSoftware/EPPlus/blob/96a7ac124515c41ce6336a64ed377549300d440a/src/EPPlus/Vba/ExcelVBASignature.cs#L263
Except that we do not have a private key, the azure key vault has. So perhaps this issue is related https://github.com/dotnet/runtime/issues/24707
And implemented into .net core 3.0 and newer https://github.com/dotnet/corefx/pull/29219
Any idea's to support SignedCms inside AzureSignTool? Or am I missing something?
Hi,
Any updates there?
There is a need to sign VBA macros xlsm using AzureSignTool, but it does not work (tried both 2.0.17 and 3.0.0 versions)
fail: AzureSignTool.SignCommand[0] The file cannot be signed because it is not a recoginized file type for signing or it is corrupt. fail: AzureSignTool.SignCommand[0] Signing failed with error 800B0003.
With signtool from Windows SDK it works after adding appropriate SIP.
Could you please help?
Just wanted to add my name to this. As above. Would be great if this could be resolved.
Need this functionality urgently. Government contract. Cert is an EV HSM-RSA AzureKeyVault cert. Currently useless for signing document macros.
Adding my voice to the above, urgent need to sign VBA project in a local .xlsm file.
As of recently, our certificate provider no longer allows their standard code signing certificates to be exported as a .pfx file, in order to comply with CA/B changes to improve private key protection:
We are therefore unable to install the certificate on any machines, and can only apply digital signatures to VBA projects in .xlsm files using the FIPS 140‐2 Level 2 compliant secure USB token onto which the certificate has been installed... which can obviously be used by only one person at a time, and is therefore a single point of failure. This is particularly problematic given that I am that one person/SPoF, and I am a remote worker!
As noted by @akamisarau above, I'm just getting the following when I try AzureSignTool from cmd:
Please could you provide an update on progress with this much-needed functionality, thanks.
I can confirm this is at least possible, I got a PoC working (not based on AzureSignTool though)
Is there a call at which can be hooked? Because when I used the API Monitor and the SIP was signing data the process behaved differently then signtool doing MSI/EXE/DLL files.
And I wasn't able to find hook for that process.
Hooking is not necessary, you can simply just use the /dlib of signtool. While realizing this took me way too much time, it turns out the author of this repo has a blogpost on it as well as a rust implementation. It's almost identical to my C++ solution.
I also posted my C++ implementation of essentially the same thing: https://github.com/namazso/AzuKI
Using the x86 signtool and x86 build following the earlier stackoverflow answer can correctly sign various office files with VBA. Not sure if they're supposed to be visible or have any effect (it still gets blocked by Excel), but it passes signtool verify.
Ahh yes I too would like this facility. I read the main page about it honouring sips and thought it would work.
Adding my voice to this request, as well as a hearty thank you to everyone who has worked on this repo :-) I don't think I have the skills to do this myself, but if someone can talk me through the outlines of what would be required, happy to try and do the work...
It is already possible to sign xlsm/... files with AzureSignTool. Thanks @vcsjones for the great work!
Microsoft Signtool allows it when there is a special SIP package installed
So does AzureSignTool. The important point here is that the Office SIPs are x86/32bit only and modern .NET apps tend to execute as 64bit.
This works for me:
- Install Office SIPs according to the included readme
- Execute in a shell
git clone https://github.com/vcsjones/AzureSignTool.git
cd AzureSignTool/src/AzureSignTool
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
- It is actually required to run the same command 3x, to first create a legacy signature, then an agile signature, then a V3 signature. See readme of Office SIPs.
-
signtool verify /pa D:\signtest.xlsmreturns
File: D:\signtest.xlsm
Index Algorithm Timestamp
========================================
0 sha256 RFC3161
Successfully verified: D:\signtest.xlsm
EDIT: it looks like I solved the problem below.
The problem is that the Regsvr32 step required to install the SIP doesn't "stick around" - it needs to be run in the same terminal session as the actual signtool. In particular, if you're using github actions to do this, it needs to be run in the same run command
First off, thanks so much for adding this feature! I tried all the steps, but unfortunately I'm getting this error:
Signing failed with error 800403F4.
I tried to follow the instructions here and use an older version of the C++ redistributables, but to no avail - same error.
Any idea what might be going on? The error message is somewhat cryptic...
Thanks so much!
Full output:
trce: AzureSignTool.SignCommand[0] Retrieving certificate ***. trce: AzureSignTool.SignCommand[0] Retrieved certificate ***. trce: AzureSignTool.SignCommand[0] Creating context info: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Signing file. trce: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Getting SIP Data trce: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Calling SignerSignEx3 with flags: SIGN_CALLBACK_UNDOCUMENTED fail: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Signing failed with error 800403F4. info: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Stopping file signing. info: AzureSignTool.SignCommand[0] Successful operations: 0 info: AzureSignTool.SignCommand[0] Failed operations: 1 Error: Process completed with exit code 2.
It is already possible to sign xlsm/... files with AzureSignTool. Thanks @vcsjones for the great work!
Microsoft Signtool allows it when there is a special SIP package installed
So does AzureSignTool. The important point here is that the Office SIPs are x86/32bit only and modern .NET apps tend to execute as 64bit.
This works for me:
- Install Office SIPs according to the included readme
- Execute in a shell
git clone https://github.com/vcsjones/AzureSignTool.git cd AzureSignTool/src/AzureSignTool dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86 dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86 dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
- It is actually required to run the same command 3x, to first create a legacy signature, then an agile signature, then a V3 signature. See readme of Office SIPs.
signtool verify /pa D:\signtest.xlsmreturnsFile: D:\signtest.xlsm Index Algorithm Timestamp ======================================== 0 sha256 RFC3161 Successfully verified: D:\signtest.xlsm
I can confirm that these instructions did the trick for us.