So will a digital certificate that is issued from a trusted signing authority, when used to sign an Excel document, allow the document to automatically run macros?
Does it make a difference whether the signature is self signed or signed by a certificate authority in terms of what the user sees?
Similar to when you use a verisign issued certificate on a webpage, the machine usually autmatically trusted certificates issued by that authority. I am wondering if the behavior in Excel is similar.
I am basically trying to address the issue of distributing Excel forms which are dependent upon a macro to function properly.
If you buy a signing key from (e.g. VeriSign), then you can use this to sign your macro code. When a user opens a file containing your signed code, what happens then depends on the “macro security level” they have set. Let’s assume it’s at the highest level, which would silently prevent any un-signed code from running.
In this case, they will be told that they file is signed by (your company name) and asked if they wish to run it. They’ll be asked this every time they open the file. However, there’s also a check-box titled “always trust macros from this publisher” – if they tick that, then any signed code from your company will thereafter be run with no further prompting.
Note: the signature you buy from VeriSign has an expiry date – usually after a year or two. Unless you take some extra steps before signing your code, then the code will no longer run after the certificate expires(!). This can lead to a nasty shock when your users suddenly find that nothing works a year later.
To ensure that the code continues to work even after the certificate has expired, you need to add some values in the registry that specify a “time-stamp server” that will be used to time-stamp the signed code. This time-stamp is later used to validate that the code was signed with a certificate that was valid at the time of signing, as opposed to one that is valid now.
For information on how to do this, see this link.