Do I need to re-code sign Excel macros after renewing the certificate

Question

I created 20 to 30 forms in Excel plus an Excel add-in to work with the forms a couple of years ago. The forms and the add-in contain VBA code that we code signed with a certificate from Go Daddy. The certificate expires this month, and the company has asked me to help them with anything that needs to be done to ensure the forms will still work and not prompt corporate users about trusting macros.

The certificate will be renewed with Go Daddy, the original provider.

Do I need to re-code sign the VBA project in each file or is the code signing smart enough to realize that the certificate has been renewed and just use it anyway? It seems that, worst=case, I'll have to open each VBA project and re-sign the code, save the files, and then re-deploy them to the server from which users open the forms when using them.

I could probably figure this out by trial and error, but I no longer work at the company and won't have access to the forms and certificate until I go into the office next week. I want to be prepared, though, so any re-signing/re-deploying takes as little time as possible.

Thanks!

Answer 1

You will most likely have to resign all files, since signing is essentially saying "This code is approved by the creator tied to the accompanying certificate, as attested by this trustworthy company". And since certificates expire, you can't keep using the same one. This is to prevent someone from finding an old certificate somewhere on a discarded hard drive or whatever and signing code under a false name.

However, what you should be doing is "Timestamping" your code signing request. Timestamping your code effectively says "This code is approved by the creator at this moment in time and hasn't changed since". However, in order to timestamp a VBA project, you need to manually enable the use of the relevant external service, so you will need internet.

The process is explained in this article from Godaddy:

https://www.godaddy.com/help/code-signing-microsoft-office-macros-and-visual-basic-for-applications-4779

If you would like to allow people to continue using your signed Visual Basic® for Applicaions (VBA) code after the certificate expires, modify the registry on your code-signing computer to add a time stamp at the time of signing using the following keys:

• Create Key: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security
• Create String: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security\TimeStampURL
• Create DWORD: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security\TimeStampRetryCount
• Create DWORD: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security\TimeStampRetryDelay

Set the new fields to these values:

• TimeStampURL = http://tsa.starfieldtech.com
• TimeStampRetryCount = 3
• TimeStampRetryDelay = 2

After that:

To Code Sign Documents

1. Open the file you want to sign.
2. Click the Tools menu, highlight Macro and click Visual Basic Editor.
3. In the Project Explorer window, select the VBA macro project that you want to sign.
4. From the Tools menu, select Digital Signature.
5. Click Choose and select your Code Signing Certificate.0
6. Click OK to close.

This procedure should allow you to to keep using the VBA macros after the certificate expired.