Pending MOTW changes - digitally signing VBA projects

Kyle123

Well-known Member
Joined
Jan 24, 2012
Messages
2,774
From June workbooks downloaded and emailed will have their macros disabled by default with no option to enable them in the Excel GUI, I have a few people that I help with workbooks they distribute that this is likely to be problematic. Advising users to either:
  • Remove the MOTW flag from the file attributes
  • Create a trusted location, save the workbook there and then open
  • Install a trusted certificate
Are all likely to be rather painful (but that's the intention), I think perhaps signing the code and distributing the certificate whilst may not be the easiest to talk users through initially, is likely to reduce the headache of ongoing support.

I've found the documentation a bit light on the signing and distribution process, I understand the process to be to purchase a cert, sign the VBA project and then distribute a certificate for users to install. Does anyone know whether smartscreen with an EV cert would prevent the need for users to install a cert? I suspect not, but this is how the process works for .net applications.

Has anyone gone through these options and decided a course of action for distributing macro enabled workbooks and what to tell end users? - Would be good to hear what you've decided to do
 

Excel Facts

Format cells as time
Select range and press Ctrl+Shift+2 to format cells as time. (Shift 2 is the @ sign).
As far as I know the way this is going to work is not (yet) set in stone, so it is hard to advise what the best method is going to be to distribute Office files with code.
My bet is on:
  1. Sign the VBA project with a certificate from a proper certificate authority
  2. Inform your users how they must unblock a file before opening
I think it is not wise to instruct people to save downloaded files to a trusted folder. The whole point of the MOTW is to make it harder for people to run code from a potentially untrusted source.
 
Upvote 0
I'm inclined to agree, however as I understand it, signing the project isn't sufficient - one must also manually install the certificate on each machine. This seems a bit overkill, especially if the code is signed with a EV certificate which is sufficient for click once applications.

Depending on the security settings of the users machine, installing certificates could prove interesting! - I get that making it hard to run dodgy code is the point, but making it harder to run VBA code than EXEs seems a bit much - though I'd be the first to admit there's far too much malware distributed via email attachments and this is definitely a good thing!

I'm guessing that the same process will apply to office for mac
 
Upvote 0
Manually installing the cert isn't necessary. After unblocking the file, Excel will ask you to enable macro's and that decision is remembered as usual. Only if the user doesn't want that enable macros decision to appear again does the user have to trust the certificate. The simplest way I know of is to instruct the user to:
  1. Open Excel
  2. Open the VBA Editor
  3. Open the file with code
This brings up the old-style enable macros dialog with the trust all from publisher button:
1649677143530.png
 
Upvote 0
Ah right, thanks for that, a doddle then - so if the project is signed, all will work as is?

That's made life easier! Would be handy if it was written as explicitly as that on the MS site
 
Upvote 0
I expect that for a while this will be about as clear as which versions of Office had Power Pivot was to start with. :)
 
Upvote 0
:ROFLMAO: I've still got no idea what Power Pivot is vs Get and Transform/Power BI thingys
 
Upvote 0
No, whether or not a project is signed will not matter , as long as people have the default trust center settings. However, corporate IT may have a different take on this and block anything that isn't signed. Or worse.
 
Upvote 0
Hang on, doesn't that contradict what you said above? If a project is not signed then is won't work at all from June, I'm really confused now, though admittedly that doesn't take much!
 
Upvote 0
Whether or not the code is signed will not make a difference regarding the new behavior, as long as the file is blocked, the code won't run. But as I said, things may be subject to change.
 
Upvote 0

Forum statistics

Threads
1,223,227
Messages
6,170,849
Members
452,361
Latest member
d3ad3y3

We've detected that you are using an adblocker.

We have a great community of people providing Excel help here, but the hosting costs are enormous. You can help keep this site running by allowing ads on MrExcel.com.
Allow Ads at MrExcel

Which adblocker are you using?

Disable AdBlock

Follow these easy steps to disable AdBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the icon in the browser’s toolbar.
2)Click on the "Pause on this site" option.
Go back

Disable AdBlock Plus

Follow these easy steps to disable AdBlock Plus

1)Click on the icon in the browser’s toolbar.
2)Click on the toggle to disable it for "mrexcel.com".
Go back

Disable uBlock Origin

Follow these easy steps to disable uBlock Origin

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back

Disable uBlock

Follow these easy steps to disable uBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back
Back
Top