Pending MOTW changes - digitally signing VBA projects

[Kyle123]

From June workbooks downloaded and emailed will have their macros disabled by default with no option to enable them in the Excel GUI, I have a few people that I help with workbooks they distribute that this is likely to be problematic. Advising users to either:

• Remove the MOTW flag from the file attributes
• Create a trusted location, save the workbook there and then open
• Install a trusted certificate

Are all likely to be rather painful (but that's the intention), I think perhaps signing the code and distributing the certificate whilst may not be the easiest to talk users through initially, is likely to reduce the headache of ongoing support.

I've found the documentation a bit light on the signing and distribution process, I understand the process to be to purchase a cert, sign the VBA project and then distribute a certificate for users to install. Does anyone know whether smartscreen with an EV cert would prevent the need for users to install a cert? I suspect not, but this is how the process works for .net applications.

Has anyone gone through these options and decided a course of action for distributing macro enabled workbooks and what to tell end users? - Would be good to hear what you've decided to do

 

[jkpieterse]

As far as I know the way this is going to work is not (yet) set in stone, so it is hard to advise what the best method is going to be to distribute Office files with code.
My bet is on:

1. Sign the VBA project with a certificate from a proper certificate authority
2. Inform your users how they must unblock a file before opening

I think it is not wise to instruct people to save downloaded files to a trusted folder. The whole point of the MOTW is to make it harder for people to run code from a potentially untrusted source.

 

[Kyle123]

I'm inclined to agree, however as I understand it, signing the project isn't sufficient - one must also manually install the certificate on each machine. This seems a bit overkill, especially if the code is signed with a EV certificate which is sufficient for click once applications.

Depending on the security settings of the users machine, installing certificates could prove interesting! - I get that making it hard to run dodgy code is the point, but making it harder to run VBA code than EXEs seems a bit much - though I'd be the first to admit there's far too much malware distributed via email attachments and this is definitely a good thing!

I'm guessing that the same process will apply to office for mac

 

[jkpieterse]

Manually installing the cert isn't necessary. After unblocking the file, Excel will ask you to enable macro's and that decision is remembered as usual. Only if the user doesn't want that enable macros decision to appear again does the user have to trust the certificate. The simplest way I know of is to instruct the user to:

1. Open Excel
2. Open the VBA Editor
3. Open the file with code

This brings up the old-style enable macros dialog with the trust all from publisher button:

 

[Kyle123]

Ah right, thanks for that, a doddle then - so if the project is signed, all will work as is?

That's made life easier! Would be handy if it was written as explicitly as that on the MS site

 

[RoryA]

I expect that for a while this will be about as clear as which versions of Office had Power Pivot was to start with.

 

[Kyle123]

I've still got no idea what Power Pivot is vs Get and Transform/Power BI thingys

 

[jkpieterse]

No, whether or not a project is signed will not matter , as long as people have the default trust center settings. However, corporate IT may have a different take on this and block anything that isn't signed. Or worse.

 

[Kyle123]

Hang on, doesn't that contradict what you said above? If a project is not signed then is won't work at all from June, I'm really confused now, though admittedly that doesn't take much!

 

[jkpieterse]

Whether or not the code is signed will not make a difference regarding the new behavior, as long as the file is blocked, the code won't run. But as I said, things may be subject to change.