Signed workbook depends on physical location of AddIn - Digital Signature Invalid - workaround?

A

AndyB

I have an issue that I have struggled with for some time, and failed
to work around. I have a signed workbook whose signature seems to
depend on the exact physical location of an AddIn on which it depends.
I hope someone can advise me how to avoid the problem.

I want to distrtibute a set of signed workbooks (containing macros and
using functions that depend on an AddIn) to end users, and I would
like the end users to be able to put the AddIn in their local settings
folder for excel addins. Both the workbooks and the AddIn are signed
by a kosher Verisign Cals 3 certificate and work fine if installed on
the target system in the same directory location as the development
system.

Trouble is ... if the AddIn is installed in a different place (such as
the user's .../Application Data/Microsoft/AddIns folder, the signature
on the workbook becomes invalid when it is saved by the user. Note
the user is allowed to change some of the content of the workbook, but
can't change the VBA code. When saved and reopened, the following
message is produced:

"The macros in this file do not match the digital signature. Only a
macro virus would cause this. Please scan for viruses and notify the
publisher of this document. Macros will be disabled."

Note also that there isn't a virus and the only thing that has changed
is the AddIn is in a new location.

Please help! How can I install my AddIn so that users are not exposed
to this problem.

Any and all advice would be gratefully recieved. Below is a copy of
an earlier post that describes how to generate a simple test case for
the problem.

Regards

Andy Bethell
-----------------------------------------------
PS: I am using vanilla Office 2003, Norton Antivirus 2003, Windows XP
Pro (fully patched), but the problem seems to be OS and Office version
independent, ie. I have seen it on Windows 2000, Office 2000 and
Office XP

To summarise the problem:

I have a set of workbooks containing signed macros.
Each workbook refers to an AddIn containing common functions (also
signed)
When I use the workbooks and AddIn in the location in which they were
signed, everything works fine.
If I move the workbooks to another computer in the 'same' location
(eg. C:\Program Files\MyApp), everything works fine.
If I move the workbooks to a different location (on the signing
computer or another computer), changes to the workbooks cannot be
saved without invalidating the digital signature, making the workbooks
unusable. The error message produced is as shown below.


"The macros in this file do not match the digital signature. Only a
macro virus would cause this. Please scan for viruses and notify the
publisher of this document. Macros will be disabled."



I have generated a reproducible test case. For the test case it does
not matter whether the macros are signed with my kosher Verisign Class
3 code-signing certificate or a self-signed certificate. I can supply
a copy of my test case.

To generate the test case:

1. Create an AddIn with a simple function, eg. to display a MsgBox
(MyMacro in MyAddIn), sign the AddIn and save to MyFolder (anywhere).
2. Load and install the AddIn in Excel.
3. Create a workbook (MyWorkbook) that invokes MyMacro in MyAddin (eg.
using a command button OnClick event). Sign the workbook and save to
the same folder as the AddIn (MyFolder).
4. Exit Excel
5. MOVE the folder 'MyFolder' to a different location on the
filesystem.
6. Start Excel without opening any of the above.
7. Remove the existing AddIn (MyAddIn) from the AddIns list (Excel
will give an error since it can no longer find the AddIn in its
original location).
8. Restart Excel
9. Add the AddIn in its new location to the AddIns list.
10. Open MyWorkbook.
11. Save (^S) MyWorkbook
12. Exit Excel
13. Open MyWorkbook

You should now get the error about signature mismatch.

I believe the above test case roughly simulates distributing the
signed workbooks and AddIn to end users, who may choose to intall the
workbooks and AddIn in a location of their choice. However, it seems
that if they choose a location 'different' to the one that the
workbooks and Addin were signed at, no changes to the workbooks can be
saved without them becoming unusable.
 
A

AndyB

In case anyone is interested, this behaviour is 'by design'.

If you sign a VBA project that has an external dependency on an XLA AddIn, the signature is invalidated when the references are fixed up by Excel, if the physical location of the AddIn has changed since the project was signed.

AndyB
 
A

AndyB

In case anyone is interested, this behaviour is 'by design'.

If you sign a VBA project that has an external dependency on an XLA AddIn, the signature is invalidated when the references are fixed up by Excel, if the physical location of the AddIn has changed since the project was signed.

AndyB
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top