We are using DigiCert EV Code Signing certificate (Extended Validation) to sign some Excel files. This does work without any problems from the Start Page of Excel ('Protect and Sign Excel File').
Now we are trying to sign VBA Macros in Excel with same certificate but without success. When I Open VBA editor -> Tools -> Digital Signature -> Select DigiCert Certificate -> Ok -> Close VBA and Save
I do get the following error:
There is a problem with the digital certificate. The VBA project could not be signed. The signature will be canceled.
The EV Key is stored on a Thales SafeNet 5110 HSM Token. The Key can't be exported. Operating System is a Windows 10 Enterprise 22H2 and Excel 2019.
We have also asked DigiCert Helpdesk but they couldn't provide a solution. They have suggested to export the certificate with Key (see below), but this solution was intended for OV Certificates and not EV (where key export is not allowed, hence the token).
Tested:
I already tried to export the Certificate (with DigiCerts CertUtil.exe
and also with Windows CertManager) and reimport them: 1) as "My Certificates" and 2) Let Windows decide the Storage. (as suggested in another StackOverflow QA)
I have also downloaded the Intermediate Certificate DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
at DigiCerts Website and installed it as trustworthy CA.
I added the Timestamp Server:
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampURL" /f /d "http://timestamp.digicert.com"
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryCount" /f /t REG_DWORD /d 2
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryDelay" /f /t REG_DWORD /d 1
Steps to reproduce:
certmgr.msc
)Current Behaviour:
Error is shown:
There is a problem with the digital certificate. The VBA project could not be signed. The signature will be canceled.
Expected Behaviour:
Saving VBA Macro with Certificate works.
I found the Issue:
Thales did disable Hashing Algorithms like SHA1 or MD5 in newer Drivers (SafeNet Authentication Client 10.5 or newer) for SafeNet Tokens, like the one we use.
Microsoft does require MD5 for Hashing of VBA Projects. This can't be changed (at the moment). (See Microsoft KB article: https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-oshared/40c8dab3-e8db-4c66-a6be-8cec06351b1e )
With old Drivers the Signing did work fine.
The Solution is to enable old Hashing Algorithms in SafeNet Driver. This can be done in Registry:
Hive: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\Crypto
Key: Disable-Crypto
Value: None
After setting this Value, Signing of VBA Macros is working fine.