After moving into a new desktop with Outlook 2019 installed, my VBA Macros wouldn't run. It was failing silently. Finally I triggered this error message:
An error occured while attempting to verify the VBA project's signature. Macros will be disabled.
And the VBA editor states:
The macros in this project are disabled…
I tried answers Microsoft Outlook 2013: Error verify VBA project signature, but the information is outdated.
The advice given by Signing your own macros with SelfCert.exe worked fine. I’m not going to duplicate the write-up, which has excellent visual aids. Here’s what I learned in my own words. Maybe this will help you avoid wading through the whole article. (That’s not to say it’s hard to read.)
Here are the steps:
Create a self-signed certificate
Sign the macro with the certificate
Verify your Outlook security settings
Run for the first time
Here are more details.
One needs to have a certificate to digitally sign one’s macros. For most of us, that means creating a self-signed certificate, which is probably why you searched for an answer to this problem. Office has a utility to do this. I have the 64-bit version of Office, so I ran C:\Program Files\Microsoft Office\root\Office16\SelfCert.exe (see the article I linked to for other versions).
In the VBA Editor (ALT+F11) where you created the macro, choose:
Tools-> Digital Signature…
You should see that the current VBA project isn’t signed yet. That’s the problem. Unlike 2013, when you press the Choose… button you’ll get a screen to select the certificate you just created. (Installation was automatic.)
Next navigate:
File-> Options-> Trust Center-> Trust Center Settings…-> Macro Settings
Ensure this option is selected: Notifications for digitally signed macros, all other macros disabled
Restart Outlook. When you exit, you’ll be prompted to save changes to your VBA project. Choose “Yes”.
When you run your newly-signed macro the first time, you’ll be notified. Select that you’ll always trust the macros or documents from this publisher and you won’t be prompted again.
Related
I have made a VBA script in an Excel file. I don't want to allow all scripts to run because of security reasons so I set my Excel to work with Disable all macros except digitally signed macros Then I made a signature and signed my script. still when I try to run it, I get the following message:
Because of your security settings, macros have been disabled.
To run macros, you need to re-open this workbook, and then choose to enable macros
I would really not like to allow unrestricted use of maros, is there really no other way of using my own macro?
EDIT: I forgot to mention that I'm using Microsoft Office Excel 2007 12.06.6771.5000
You need to be sure that the VBA of the workbook is digitally signed correctly. If you open the VB-Editor and choose from menu Extras › Digital Signature it must show a certificate name in both positions.
The certificate needs to be trusted. Therefore see in Excel Options › Trust Center › Button "Preferences for Trust Center" and see if your certificate is within the list of Trusted Publishers. If it is not you need Windows to trust this certificate.
See here how to trust SSL certificate to local system account.
We use VBA macros in our company on every computer where Outlook is installed. Macros are digitally signed with a certificate to ensure security. This certificate is generate through the selfcert.exe application. When we add the digital signature on the VBA project (which contains the macros) in Outlook we choose the certificate generated previously and we check that Outlook options in the 'Trust Center Settings' are defined on 'Disable all macros except digitally signed macros'. Next, the first time we launch Outlook and run a macro, we got a message to confirm with 3 buttons: 'Trust all documents from this publisher', 'Enable Macros', 'Disable Macros'. We always choose to trust all to avoid getting this message again next time. This is working pretty well since several years on every machine.
Some weeks ago, someone complains about random freeze of Windows 10. The IT support solved this issue but unfortunately a new problem appeared: Outlook macros are always disabled on this machine. I am pretty sure this new problem is due to the previous freeze of Windows. I also read someone somewhere which crashed the disk and then Outlook macros got disabled.
What I already tried:
Remove/Add the certificate again
Create a new certificate to sign my macros
Renaming the VBA module containing the macros
Deleting the VBA module and creating it again
None of these actions worked. Macros are still disabled.
The temporary solution for now is to change the Trust Center Settings options by enabling all macros. But I cannot accept this workaround which is potentially dangerous.
I already search hours on Google and tried suggestions without luck.
Looks like your machine is corrupted. Try to repair Outlook or Office.
Be aware, you need to install a self-signed certificate as a trusted root CA in Windows. See Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista for more information.
Also you may find the Odd behaviour with macros being disabled forum thread helpful. It states the following:
I could reproduce the issue in Outlook 2013 (C2R 15.0.4927.1002). The macro would be disabled if I set 'Notifications for digitally signed macros, all other macros disabled' and i have added the CA into Trusted Publisher and Trusted Root CA list. The issue doesn't exist in Outlook 2016, I would suggest you use Outlook 2016 if you don't want to enable all macros. Besides, I suggest you submit your feedback on Outlook User Voice: https://outlook.uservoice.com/
I have built template-based add ins for Word and Excel version 2003 and previous. Those versions always required the the code to be digitally signed so that it would run on machines that had macro security turned on.
I am now working on some template based add ins for Office 2010 (to be delivered as a protected .dotm file. The add ins will create custom ribbons that provide business functionality. It looks like while I can do code signing, I no longer need to do code signing if I install my .dotm file into [user profile]\Roaming\Microsoft\Word\Startup. Can anyone verify this? In my limited testing this seems to work and I am interested in distributing this to some computers out of our domain where my code signing certificate is not trusted.
Any help would greatly appreciated. Thanks.
Yes, that has been the case since Word 97 to Word 2010 - dot/dotm files in the STARTUP folder are not checked for signing (apparently because getting them into that folder is supposed to be a manual effort). It will work without signing as long as someone has not disabled STARTUP folder add-ins (the KB on how someone would disable it is here http://support.microsoft.com/kb/921541 under section "Disable the Startup folder add-ins").
Is there a way to automate code signing a VBA project in a Word 2003 and/or Word 2007 document?
By automate I mean via a command line utility or via Word VBA automation?
Motivation: I would like to code sign several Word templates as part of an automated daily build and distribution cycle. Right now we have to do this manually by opening each document in Word and resigning.
Thank you,
Malcolm
I've never seen a way to do this. I had an automated build of a template years ago and at the end I popped up a message box saying "you have to go sign the template now" and then opened VBA for them. Just saying I feel your pain I guess.
This may be worth a look:
http://winbatch.com/
For anyone coming across this question a decade later, it seems to be possible to automate signing of VBA projects using SignTool in the Windows 10 SDK as described in this Microsoft Support page. I'll quote the specific instructions here too:
Download and install the Windows 10 SDK.
Download Officesips.exe from Microsoft Office Subject Interface Packages for Digitally Signing VBA Projects.
To sign files and verify the signatures in files, register Msosip.dll and Msosipx.dll, and then run Offsign.bat. The detailed steps are included in the Readme.txt file in the installation folder of Officesips.exe.
Note: Use the x86 version of SignTool in the "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86" folder when you run Offsign.bat.
Haven't done this myself yet but likely will in the near future. I'll update this answer if I learn anything.
I do not believe there is an automated way to do this because it would defeat the security of code-signing VBA Project signing.
The two message digests are compared,
and if any part of the file has been
modified or corrupted, the digests
will not match and the contents of the
file can't be trusted. The
verification process will fail
regardless of how the file was
modified - whether through corruption,
a macro virus, or programmatic changes
made by an add-in or Office solution.
The verification process will also
fail if the file wasn't signed with a
valid certificate; that is, if the
certificate had expired, or had been
forged, altered, or corrupted. If
another user modifies the VBA project,
the Office 2000 application removes
the current signature and prompts the
user to re-sign the VBA project; if
the user doesn't sign the VBA project
or signs it with another certificate,
the file may fail the verification
process.
Inserted from
http://msdn.microsoft.com/en-us/library/aa190113(office.10).aspx
Code signing has the additional level of security in the fact that a developer must compile source code. A macro is not compiled and can be distributed as text. Therefore, automating macro signing would open a large security hole. Manually siging a macro is similar to Outlook prompting the user to allow programmatic access to the address book.
I want to add on certain feature in MS Office. Currently, I am looking at VBA to develop it. However, it seems that running macros requires security disabled. This means that if I distribute the VBA program, other people need to enable macros to run. (Security issues)
The problem now is, how do I distribute the VBA that I wrote? E.g. in a .exe file? And is there any other method to go about creating this add on?
I downloaded some add on for MS Word and it seems that it is written in C++ and it is in .dll format.
Thanks.
You can run macros in a document/template/add-in even in "high" security mode, if:
the VBA project is digitally signed
the user agrees to 'trust' the publisher of the digital signature
The first time the user runs a macro signed with your digital signature, they'll get a prompt saying "the macros are signed by YourCompanyName - do you want to trust all add-ins from this publisher". If they click "yes", they won't see the prompt again - and your macros will run.
See this link for details of how to create a digital signature.
Visual Studio Tools for Office (VSTO) allows you to author extensions to Microsoft Office using any .NET language, including Visual C++. Such extensions would indeed compile to DLL-files, and after installation on a client machine, they wouldn't require the user to dismiss any additional security warnings. You will need Visual Studio 2005/2008 Professional in order to use the VSTO framework.
Wikipedia has more information about VSTO, including a comparison with VBA. Amazon seems to have a fair amount of books on the subject as well.