Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I sign an XLA from Excel 2016 with a timestamp?

I am struggling to sign an XLA from Excel 2016 with a timestamp. This is important, because without a timestamp the signature becomes invalid when the code signing certificate used expires. Unfortunately by default Excel does not apply a timestamp to the signature.

Microsoft's documentation (https://learn.microsoft.com/en-us/deployoffice/security/use-digital-signatures-with-office) states:

To use the time stamp functionality with digital signatures, you must complete the following tasks:

  • Set up a time stamp server that is compliant with RFC 3161

  • Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.

My certificate issuer, Comodo, states that their time stamping server (http://timestamp.comodoca.com) supports RFC 3161 (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server).

I downloaded and installed the Office 2016 Administrative Template files (ADMX/ADML) from https://go.microsoft.com/fwlink/p/?LinkID=626001 in order to apply group policy settings. In the Local Group Policy Editor, I can then access User Configuration, Administrative Templates, Microsoft Office 2016, Security Settings, Digital Signatures where the relevant group policy settings are found.

I initially set the following:

  • Specify timestamp server name to http://timestamp.comodoca.com
  • Set timestamp server timeout to 20

... then when these didn't work (see below), I also set:

  • Specify minimum XAdES level for digital signature generation to XAdES-T
  • Requested XAdES level for signature generation to XAdES-T

... because XAdES-T "Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration" - which sounds like what I need.

I am signing in the VBA Editor using Digital Signature from the Tools menu.

However, when I check the signature, I still see no timestamp.

I am checking the signature as follows (I'm not aware of a simpler way):

  1. In the Developer ribbon, click Macro Security, select Add-ins, then check Require Application Add-ins to be signed by Trusted Publisher. Click OK, then close Excel. (I'm not a trusted publisher, so I am intentionally causing my add-in to be disabled.)

  2. Restart Excel, and create an empty workbook. (My add-in is configured to be loaded automatically.) A SECURITY WARNING is shown due to step 1.

Excel security warning

  1. Click for more details as prompted, then choose Advanced Options from the Enable Content menu.

File  Info

  1. In the Microsoft Office Security Options dialog, scroll down to the add-in which was signed and click Show Signature Details. This opens the Digital Signature Details dialog which shows Signing time: Not available, indicating the lack of a timestamp:

no signing time

My understanding is that a signature with a timestamp will show it here, e.g.

signature with timestamp

... but I have been unable to achieve this with my XLA.

like image 322
davidm_uk Avatar asked Oct 16 '22 17:10

davidm_uk


1 Answers

I found that in addition to the Group Policy changes detailed in my question:

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Digital Signatures\

Group Policy Editor

Timestamp server name

... it was also necessary to set some registry keys which I'd found earlier but which hadn't worked in isolation:

reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampURL" /f /d "http://timestamp.comodoca.com/authenticode"
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryCount" /f /t REG_DWORD /d 2
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryDelay" /f /t REG_DWORD /d 1

Note also that the group policy changes appear just to edit the registry, so it may be possible to make the registry changes above and:

reg add "HKCU\Software\Policies\Microsoft\office\16.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\12.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\14.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\15.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"

(supporting some older Excel versions too).

Settings above are for my certificate issuer, Comodo. All references to timestamp.comodoca.com will need to be updated as appropriate.

like image 184
davidm_uk Avatar answered Oct 21 '22 01:10

davidm_uk