I am struggling to sign an XLA from Excel 2016 with a timestamp. This is important, because without a timestamp the signature becomes invalid when the code signing certificate used expires. Unfortunately by default Excel does not apply a timestamp to the signature.
Microsoft's documentation (https://learn.microsoft.com/en-us/deployoffice/security/use-digital-signatures-with-office) states:
To use the time stamp functionality with digital signatures, you must complete the following tasks:
Set up a time stamp server that is compliant with RFC 3161
Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.
My certificate issuer, Comodo, states that their time stamping server (http://timestamp.comodoca.com
) supports RFC 3161 (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server).
I downloaded and installed the Office 2016 Administrative Template files (ADMX/ADML) from https://go.microsoft.com/fwlink/p/?LinkID=626001 in order to apply group policy settings. In the Local Group Policy Editor, I can then access User Configuration, Administrative Templates, Microsoft Office 2016, Security Settings, Digital Signatures where the relevant group policy settings are found.
I initially set the following:
http://timestamp.comodoca.com
20
... then when these didn't work (see below), I also set:
XAdES-T
XAdES-T
... because XAdES-T "Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration" - which sounds like what I need.
I am signing in the VBA Editor using Digital Signature from the Tools menu.
However, when I check the signature, I still see no timestamp.
I am checking the signature as follows (I'm not aware of a simpler way):
In the Developer ribbon, click Macro Security, select Add-ins, then check Require Application Add-ins to be signed by Trusted Publisher. Click OK, then close Excel. (I'm not a trusted publisher, so I am intentionally causing my add-in to be disabled.)
Restart Excel, and create an empty workbook. (My add-in is configured to be loaded automatically.) A SECURITY WARNING is shown due to step 1.
Not available
, indicating the lack of a timestamp:My understanding is that a signature with a timestamp will show it here, e.g.
... but I have been unable to achieve this with my XLA.
I found that in addition to the Group Policy changes detailed in my question:
User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Digital Signatures\
... it was also necessary to set some registry keys which I'd found earlier but which hadn't worked in isolation:
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampURL" /f /d "http://timestamp.comodoca.com/authenticode"
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryCount" /f /t REG_DWORD /d 2
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryDelay" /f /t REG_DWORD /d 1
Note also that the group policy changes appear just to edit the registry, so it may be possible to make the registry changes above and:
reg add "HKCU\Software\Policies\Microsoft\office\16.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\12.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\14.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\15.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
(supporting some older Excel versions too).
Settings above are for my certificate issuer, Comodo. All references to timestamp.comodoca.com will need to be updated as appropriate.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With