Signing VBA Code in Excel XLSM files - There was a problem with the Digital Certificate

Question

I have a DigiCert EV Code Signing certificate to sign my c# code, and it works great.

However, now I'm trying to sign VBA code in an Excel XLSM file.

I get the error "There was a problem with the Digital Certificate. The VBA Project could not be signed. The signature will be discarded."

DigiCert support does not seem to be able to find a solution.

I have tried saving the VBA project first, then saving the file, as discussed here... https://social.technet.microsoft.com/Forums/en-US/07f0158c-085b-4031-93a1-c9d047cf855c/unable-to-sign-outlook-2010-vbaproject?forum=outlook

I have an EV Code Signing Certificate, so I cannot export the file with the certificate path as discussed here... https://knowledge.digicert.com/solution/SO1451.html and here... Unable to sign VBA with valid Sectigo Code Signing certificate

I thought maybe it's b/c I have an EV certificate and I may actually need a PFX certificate instead, but DigiCert said the following...

By November (or sooner) it also won't be possible with standard code signing. the reason it won't be possible is that standards require "qualified" hardware to store the private key and the code signing certificate, and that hardware by default makes it "read-only" or more specifically make it so that you may use it but may not export it.

So I'm hoping someone here has an answer to this. Microsoft just released some update to office that will block VBA without a bunch of extra steps unless the code is signed... https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked

Any help here is greatly appreciated...

Answer 1

The root cause of this issue is a change in the default behavior of the SafeNet Authentication Client software, starting with version 10.5. A list of obsolete/deprecated cryptographic algorithms (including the one needed for Office/Excel VBA signing) get disabled by default. For more details see the original KB article on Thales' website here (thanks to DigiCert support for providing this).

I have found two solutions:

1. Uninstall your current (v10.5 or newer) version of the SafeNet Authentication Client. Then download and install version 10.4 (or any older version) from here.
2. As @vzczc alluded to earlier, if we are to use version 10.5+, then we need to manually import/create a specific Registry Key and Value. Here is how I did it in more detail:

• I was using SafeNet Authentication Client version 10.8 R6, build 10.8.2154.0 to start with:
• First thing I did was right click on the "Safely Remove Hardware and Eject Media" icon in the tray and choose "Eject Token JC". Then I physically unplugged the USB token from my PC:
• Again in your Windows tray, right click on the SAC icon and choose "Exit".
• Open Windows Task Manager (Ctrl + Shift + Esc keyboard shortcut), go to the "Details" tab. Right-click -> End Task any leftover process whose name begins with "SAC..." (I had one of these running even after exiting SAC from the tray!):
• Open the Registry Editor (WinKey + R keyboard shortcut, then regedit). Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC key, right-click on "SAC" and choose New -> Key. Name the new key Crypto
• Now right-click the new Crypto key we just created and choose New -> String Value. Name the new value Disable-Crypto
• In the right pane, double-click on the new Disable-Crypto value that we just created. In the resulting dialog box, set the "Value data" property to None and hit OK
• If everything went right, your final Registry structure should look like this:
• Now Restart your PC.
• After the restart, wait for all your programs (incl. SafeNet Authentication Client) to load up again. Once you see the SAC icon in the tray, plug the hardware token into your PC's USB port again.
• You should now be able to sign and save Excel VBA projects.