How do I sign an XLA from Excel 2016 with a timestamp?
I am struggling to sign an XLA from Excel 2016 with a timestamp. This is important, because without a timestamp the signature becomes invalid when the code signing certificate used expires. Unfortunately by default Excel does not apply a timestamp to the signature.
Microsoft's documentation (https://learn.microsoft.com/en-us/deployoffice/security/use-digital-signatures-with-office) states:
To use the time stamp functionality with digital signatures, you must complete the following tasks:
Set up a time stamp server that is compliant with RFC 3161
Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.
My certificate issuer, Comodo, states that their time stamping server (http://timestamp.comodoca.com) supports RFC 3161 (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server).
I downloaded and installed the Office 2016 Administrative Template files (ADMX/ADML) from https://go.microsoft.com/fwlink/p/?LinkID=626001 in order to apply group policy settings. In the Local Group Policy Editor, I can then access User Configuration, Administrative Templates, Microsoft Office 2016, Security Settings, Digital Signatures where the relevant group policy settings are found.
I initially set the following:
- Specify timestamp server name to
http://timestamp.comodoca.com - Set timestamp server timeout to
20
... then when these didn't work (see below), I also set:
- Specify minimum XAdES level for digital signature generation to
XAdES-T - Requested XAdES level for signature generation to
XAdES-T
... because XAdES-T "Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration" - which sounds like what I need.
I am signing in the VBA Editor using Digital Signature from the Tools menu.
However, when I check the signature, I still see no timestamp.
I am checking the signature as follows (I'm not aware of a simpler way):
In the Developer ribbon, click Macro Security, select Add-ins, then check Require Application Add-ins to be signed by Trusted Publisher. Click OK, then close Excel. (I'm not a trusted publisher, so I am intentionally causing my add-in to be disabled.)
Restart Excel, and create an empty workbook. (My add-in is configured to be loaded automatically.) A SECURITY WARNING is shown due to step 1.
- Click for more details as prompted, then choose Advanced Options from the Enable Content menu.
- In the Microsoft Office Security Options dialog, scroll down to the add-in which was signed and click Show Signature Details. This opens the Digital Signature Details dialog which shows Signing time:
Not available, indicating the lack of a timestamp:
My understanding is that a signature with a timestamp will show it here, e.g.
... but I have been unable to achieve this with my XLA.
I found that in addition to the Group Policy changes detailed in my question:
User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Digital Signatures\
... it was also necessary to set some registry keys which I'd found earlier but which hadn't worked in isolation:
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampURL" /f /d "http://timestamp.comodoca.com/authenticode"
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryCount" /f /t REG_DWORD /d 2
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryDelay" /f /t REG_DWORD /d 1
Note also that the group policy changes appear just to edit the registry, so it may be possible to make the registry changes above and:
reg add "HKCU\Software\Policies\Microsoft\office\16.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\12.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\14.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\15.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
(supporting some older Excel versions too).
Settings above are for my certificate issuer, Comodo. All references to timestamp.comodoca.com will need to be updated as appropriate.
- Excel LET Formula Results in #CALC! Error When Applying a Filter
- Save excel file using savefiledialog class in C#
- Excel, generate a list of names depending on row and column values of another sheet
- Ignore missing columns in pandas read_excel usecols
- When does Excel surround sheet names with single quotes in workbook.xml (or other xml) files?
- getting sheet names from openpyxl
- Counting number of unique values in one column if data in a 2nd column matches anything in a 3rd column
- How to add more than 255 characters in a data validation in xlsxwriter Python
- Open Excel File on a specific worksheet
- Including a value in a range to be summed, only if a date is not today
- XLOOKUP with flexible column for return_array and not unique values in lookup_array
- Get Picture from Worksheet into Excel Userform
- Get names from email column
- How to add the data in the same row index but in different cells in each column
- Consolidating all sheets data into another work book
- Repeat each value a different number of times. Excel
- How to convert a column of age counts into a set useful for statistics?
- VBA Excel Break Points and Stop do not work
- How to find average per day using pivot table?
- Using Excel for VLOOKUP and WildCard Not Working
- Resort from descending to ascending
- Create a scatter in excel using vbscript
- Add cell with comment above table header and matching cell values VBA
- Can you define names for dates in Excel to use them in formulas?
- Override spill cell
- How to create an Excel File with javascript?
- Formula for generating delimited list of incremented numbers
- Return offset cell value based on data validated dropdown list
- Why I could not simply read sheets and merge all the content in a single Variant?
- Extract comments from multiple word docs into Excel