How do I sign an XLA from Excel 2016 with a timestamp?

Question

I am struggling to sign an XLA from Excel 2016 with a timestamp. This is important, because without a timestamp the signature becomes invalid when the code signing certificate used expires. Unfortunately by default Excel does not apply a timestamp to the signature.

Microsoft's documentation (https://learn.microsoft.com/en-us/deployoffice/security/use-digital-signatures-with-office) states:

To use the time stamp functionality with digital signatures, you must complete the following tasks:

Set up a time stamp server that is compliant with RFC 3161

Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.

My certificate issuer, Comodo, states that their time stamping server (http://timestamp.comodoca.com) supports RFC 3161 (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server).

I downloaded and installed the Office 2016 Administrative Template files (ADMX/ADML) from https://go.microsoft.com/fwlink/p/?LinkID=626001 in order to apply group policy settings. In the Local Group Policy Editor, I can then access User Configuration, Administrative Templates, Microsoft Office 2016, Security Settings, Digital Signatures where the relevant group policy settings are found.

I initially set the following:

Specify timestamp server name to http://timestamp.comodoca.com
Set timestamp server timeout to 20

... then when these didn't work (see below), I also set:

Specify minimum XAdES level for digital signature generation to XAdES-T
Requested XAdES level for signature generation to XAdES-T

... because XAdES-T "Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration" - which sounds like what I need.

I am signing in the VBA Editor using Digital Signature from the Tools menu.

However, when I check the signature, I still see no timestamp.

I am checking the signature as follows (I'm not aware of a simpler way):

In the Developer ribbon, click Macro Security, select Add-ins, then check Require Application Add-ins to be signed by Trusted Publisher. Click OK, then close Excel. (I'm not a trusted publisher, so I am intentionally causing my add-in to be disabled.)
Restart Excel, and create an empty workbook. (My add-in is configured to be loaded automatically.) A SECURITY WARNING is shown due to step 1.

Click for more details as prompted, then choose Advanced Options from the Enable Content menu.

In the Microsoft Office Security Options dialog, scroll down to the add-in which was signed and click Show Signature Details. This opens the Digital Signature Details dialog which shows Signing time: Not available, indicating the lack of a timestamp:

My understanding is that a signature with a timestamp will show it here, e.g.

... but I have been unable to achieve this with my XLA.

Where is "Microsoft Office Security Options dialog". That signature dialog does not appear in the VBA editor. Does not mention the timestamp. I would really like to know if it is working. — Tuntable, Aug 12 '23 at 05:39

score 3 · Accepted Answer · answered Nov 13 '20 at 12:55

I found that in addition to the Group Policy changes detailed in my question:

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Digital Signatures\

... it was also necessary to set some registry keys which I'd found earlier but which hadn't worked in isolation:

reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampURL" /f /d "http://timestamp.comodoca.com/authenticode"
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryCount" /f /t REG_DWORD /d 2
reg add "HKCU\Software\Microsoft\VBA\Security" /v "TimeStampRetryDelay" /f /t REG_DWORD /d 1

Note also that the group policy changes appear just to edit the registry, so it may be possible to make the registry changes above and:

reg add "HKCU\Software\Policies\Microsoft\office\16.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\12.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\14.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"
reg add "HKCU\Software\Policies\Microsoft\office\15.0\common\signatures" /v tsalocation /f /d "http://timestamp.comodoca.com"

(supporting some older Excel versions too).

Settings above are for my certificate issuer, Comodo. All references to timestamp.comodoca.com will need to be updated as appropriate.

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

1

According to your timestamp server's documentation:

RFC 3161 timestamping is used by SignTool (using the /tr parameter) and other applications (such as jarsigner).

Our time stamping server (http://timestamp.comodoca.com) automatically selects the appropriate signature algorithm (RSA/SHA-1, RSA/SHA-256 or RSA/SHA-384) with which to sign each timestamp, based on the hash algorithm you specify (e.g. via SignTool's /td parameter).

^{(Image Source)}

More Information:

Wikipedia : Trusted Timestamping: Creating a timestamp
Office.com : Add or remove a digital signature in Office files
MSDN: SignTool (Windows)
MSDN: Cryptography Tools: Introduction to Code Signing

edited Jun 20 '20 at 09:12

Community

1
1

answered Jun 02 '18 at 06:39

ashleedawg

20,365
9
72
105

I’m unable (I believe) to use signtool to sign an XLA though? We use it successfully with time stamping for EXEs and DLLs, but I’m pretty certain that XLAs must be signed within Excel. – davidm_uk Jun 02 '18 at 13:24
https://stackoverflow.com/questions/47933788/command-line-tool-or-code-to-sign-and-or-check-digital-signature-on-an-excel-f – davidm_uk Jun 02 '18 at 13:27

How do I sign an XLA from Excel 2016 with a timestamp?

2 Answers2

More Information:

Linked