search

vcsjones / AzureSignTool

SignTool Library and Azure Key Vault Support
MIT License
283 stars 88 forks source link

Sign VBA project #126

Open rfcdejong opened 3 years ago

rfcdejong commented 3 years ago

Can AzureSignTool sign VBA macro projects inside word, excel, etc?

Microsoft Signtool allows it when there is a special SIP package installed https://stackoverflow.com/a/57039432/578552

rfcdejong commented 3 years ago

After reading into what VBA signing is, I figured out that Signing a VBA file is in fact done by SignedCms. Looking at the source from EPPlus I found that it is doing it that way. https://github.com/EPPlusSoftware/EPPlus/blob/96a7ac124515c41ce6336a64ed377549300d440a/src/EPPlus/Vba/ExcelVBASignature.cs#L263

Except that we do not have a private key, the azure key vault has. So perhaps this issue is related https://github.com/dotnet/runtime/issues/24707

And implemented into .net core 3.0 and newer https://github.com/dotnet/corefx/pull/29219

Any idea's to support SignedCms inside AzureSignTool? Or am I missing something?

akamisarau commented 2 years ago

Hi, Any updates there? There is a need to sign VBA macros xlsm using AzureSignTool, but it does not work (tried both 2.0.17 and 3.0.0 versions) fail: AzureSignTool.SignCommand[0] The file cannot be signed because it is not a recoginized file type for signing or it is corrupt. fail: AzureSignTool.SignCommand[0] Signing failed with error 800B0003. With signtool from Windows SDK it works after adding appropriate SIP. image Could you please help?

Mavranic commented 2 years ago

Just wanted to add my name to this. As above. Would be great if this could be resolved.

ABNOTECHGuy commented 1 year ago

Need this functionality urgently. Government contract. Cert is an EV HSM-RSA AzureKeyVault cert. Currently useless for signing document macros.

vince-hardwick commented 1 year ago

Adding my voice to the above, urgent need to sign VBA project in a local .xlsm file.

As of recently, our certificate provider no longer allows their standard code signing certificates to be exported as a .pfx file, in order to comply with CA/B changes to improve private key protection:

https://support.globalsign.com/code-signing/new-requirements-related-private-key-protection-codesigning-certificates

We are therefore unable to install the certificate on any machines, and can only apply digital signatures to VBA projects in .xlsm files using the FIPS 140‐2 Level 2 compliant secure USB token onto which the certificate has been installed... which can obviously be used by only one person at a time, and is therefore a single point of failure. This is particularly problematic given that I am that one person/SPoF, and I am a remote worker!

As noted by @akamisarau above, I'm just getting the following when I try AzureSignTool from cmd:

image

Please could you provide an update on progress with this much-needed functionality, thanks.

namazso commented 1 year ago

I can confirm this is at least possible, I got a PoC working (not based on AzureSignTool though)

jozefizso commented 1 year ago

Is there a call at which can be hooked? Because when I used the API Monitor and the SIP was signing data the process behaved differently then signtool doing MSI/EXE/DLL files.

And I wasn't able to find hook for that process.

namazso commented 1 year ago

Hooking is not necessary, you can simply just use the /dlib of signtool. While realizing this took me way too much time, it turns out the author of this repo has a blogpost on it as well as a rust implementation. It's almost identical to my C++ solution.

namazso commented 1 year ago

I also posted my C++ implementation of essentially the same thing: https://github.com/namazso/AzuKI

Using the x86 signtool and x86 build following the earlier stackoverflow answer can correctly sign various office files with VBA. Not sure if they're supposed to be visible or have any effect (it still gets blocked by Excel), but it passes signtool verify.

rwsdwatson commented 1 year ago

Ahh yes I too would like this facility. I read the main page about it honouring sips and thought it would work.

danguetta commented 1 year ago

Adding my voice to this request, as well as a hearty thank you to everyone who has worked on this repo :-) I don't think I have the skills to do this myself, but if someone can talk me through the outlines of what would be required, happy to try and do the work...

connorburgessM4A commented 1 year ago

Adding my name to this. Would be great if this could be resolved.

m-puolitaival commented 8 months ago

Adding another interested party for this feature.

georg-jung commented 7 months ago

It is already possible to sign xlsm/... files with AzureSignTool. Thanks @vcsjones for the great work!

Microsoft Signtool allows it when there is a special SIP package installed

So does AzureSignTool. The important point here is that the Office SIPs are x86/32bit only and modern .NET apps tend to execute as 64bit.

This works for me:

  1. Install Office SIPs according to the included readme
  2. Execute in a shell 
    git clone https://github.com/vcsjones/AzureSignTool.git
cd AzureSignTool/src/AzureSignTool
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
    • It is actually required to run the same command 3x, to first create a legacy signature, then an agile signature, then a V3 signature. See readme of Office SIPs.

  3. signtool verify /pa D:\signtest.xlsm returns

    File: D:\signtest.xlsm
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: D:\signtest.xlsm
danguetta commented 7 months ago

EDIT: it looks like I solved the problem below.

The problem is that the Regsvr32 step required to install the SIP doesn't "stick around" - it needs to be run in the same terminal session as the actual signtool. In particular, if you're using github actions to do this, it needs to be run in the same run command

First off, thanks so much for adding this feature! I tried all the steps, but unfortunately I'm getting this error:

Signing failed with error 800403F4.

I tried to follow the instructions here and use an older version of the C++ redistributables, but to no avail - same error.

Any idea what might be going on? The error message is somewhat cryptic...

Thanks so much!

Full output:

trce: AzureSignTool.SignCommand[0] Retrieving certificate . trce: AzureSignTool.SignCommand[0] Retrieved certificate . trce: AzureSignTool.SignCommand[0] Creating context info: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Signing file. trce: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Getting SIP Data trce: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Calling SignerSignEx3 with flags: SIGN_CALLBACK_UNDOCUMENTED fail: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Signing failed with error 800403F4. info: AzureSignTool.SignCommand[0] => File: macro_file.xlsm Stopping file signing. info: AzureSignTool.SignCommand[0] Successful operations: 0 info: AzureSignTool.SignCommand[0] Failed operations: 1 Error: Process completed with exit code 2.

m-puolitaival commented 7 months ago

It is already possible to sign xlsm/... files with AzureSignTool. Thanks @vcsjones for the great work!

Microsoft Signtool allows it when there is a special SIP package installed

So does AzureSignTool. The important point here is that the Office SIPs are x86/32bit only and modern .NET apps tend to execute as 64bit.

This works for me:

  1. Install Office SIPs according to the included readme
  2. Execute in a shell
git clone https://github.com/vcsjones/AzureSignTool.git
cd AzureSignTool/src/AzureSignTool
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
dotnet run sign "D:\signtest.xlsm" -kvm -kvu https://contoso-codesigning.vault.azure.net/ -kvc contoso-codesigning-ov -tr http://timestamp.acs.microsoft.com/ -r win-x86
  • It is actually required to run the same command 3x, to first create a legacy signature, then an agile signature, then a V3 signature. See readme of Office SIPs.
  1. signtool verify /pa D:\signtest.xlsm returns
File: D:\signtest.xlsm
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: D:\signtest.xlsm

I can confirm that these instructions did the trick for us.