views:

176

answers:

3

Is there a way to automate code signing a VBA project in a Word 2003 and/or Word 2007 document?

By automate I mean via a command line utility or via Word VBA automation?

Motivation: I would like to code sign several Word templates as part of an automated daily build and distribution cycle. Right now we have to do this manually by opening each document in Word and resigning.

Thank you, Malcolm

+1  A: 

I've never seen a way to do this. I had an automated build of a template years ago and at the end I popped up a message box saying "you have to go sign the template now" and then opened VBA for them. Just saying I feel your pain I guess.

Tom Winter
Thanks for the thoughts Tom (misery loves company<g>). I'm shocked that there doesn't seem to be a way to do this. I'm continuing to search on my own, independently of this post.
Malcolm
A: 

I do not believe there is an automated way to do this because it would defeat the security of code-signing VBA Project signing.

The two message digests are compared, and if any part of the file has been modified or corrupted, the digests will not match and the contents of the file can't be trusted. The verification process will fail regardless of how the file was modified - whether through corruption, a macro virus, or programmatic changes made by an add-in or Office solution. The verification process will also fail if the file wasn't signed with a valid certificate; that is, if the certificate had expired, or had been forged, altered, or corrupted. If another user modifies the VBA project, the Office 2000 application removes the current signature and prompts the user to re-sign the VBA project; if the user doesn't sign the VBA project or signs it with another certificate, the file may fail the verification process.

Inserted from http://msdn.microsoft.com/en-us/library/aa190113(office.10).aspx

Code signing has the additional level of security in the fact that a developer must compile source code. A macro is not compiled and can be distributed as text. Therefore, automating macro signing would open a large security hole. Manually siging a macro is similar to Outlook prompting the user to allow programmatic access to the address book.

AMissico
I'm not sure I buy that conclusion because I can create scripts that code sign my executables and dlls.Furthermore, when I'm signing a VBA project, all I'm doing is selecting a certificate - I'm not even being prompted for a password.
Malcolm
True, but notice that there is not automated way to set the password for a VBA project. Moreover, you are not prompted for a password because the private key is already in the certificate store. Code signing is automated because developers have to compile the code before deployment, which is a level of security.
AMissico
Besides, if a developer really wanted to automate this process, I am sure they can come up with a way since they have complete control of their machine.
AMissico
Imagine how big the possible Office security hole would be if a hacker could create "sign macros" on a target machine.
AMissico
Thank you for your patience in answering this question :)
Malcolm
A: 

This may be worth a look: http://winbatch.com/

Sam at TVentures