excelvbacertificatesigning

Unable to sign VBA with valid Sectigo Code Signing certificate - but signing .msi works fine

I bumped into the same issue as this topic: Unable to sign VBA with valid Sectigo Code Signing certificate Basically, I have a Sectigo EV code signing certificate with a USB-stick that I need to plug in in order to sign my code. I am using that for signing my excel add-in in Visual Studio (DLLs) and the .msi file that we build from that with signtool:

signtool sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /d Prog2Installer.msi /a C:\Users\hello\source\repos\ME\Prog2\bin\Release\Prog2mInstaller.msi

That works fine, I get a pop-up asking me for my password and it signs ok.

But now I also want to use my certificate to sign my excel/VBA xlsm file. When I plug in my USB key I can select the certificate in VBE (named "Installed by Sectigo Browser extension"), but when I save the file, I get the same feedback as the referenced post:

There is a problem with the digital certificate. The VBA project could not be signed. The signature will be cancelled

I checked the certmgr, can see the certificate there, but can't export as .pfx, only as .cer (so no private keys, as they reside on the USB stick I assume). I also added those 3 timestamp items that were suggested in the referenced post, but still nothing.

Sectigo/Comodo seem to have no clue (tried their helpdesks), I hope that anyone here can advice me what to do to get this to work?

Solution

  • I had a response from Sectigo - who had contacted the certificate token manufacturer. It looks like this is indeed Microsoft's problem - requiring an MD5 hash when signing VBA code - even though that's no longer considered secure.

    As a workaround, if you are using Safenet AND if your token still supports MD5, you can make the following registry changes:

    1. Find the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC"
    2. Add a new registry key "Crypto"
    3. Add a new string value to this key - "Disable-Crypto"
    4. Give "Disable-Crypto" a value "None"

    Then, add the signature to VBA in the usual way. In my case, when saving the file, it asks for the token password three times before completing the save.

    Full details - inluding more information about the issue

    Unless there is a change to the MD5 requirement for signing VBA code, it will not be possible to sign VBA code at all in the future (i.e. no certificate providers will support it). Therefore, I suggest that people contact Microsoft to urge them to act on this issue.