1

We've created an Excel DNA AddInand we're getting it ready for the wild. So we want to have it signed with our organisation's code-signing certificate.

So, after receiving a pfx certificate, I installed it to my personal space and grabbed the thumbprint and used the SignFile task in our .csproj file to make signed output files on a release build.

Here is the code from the csproj file. Worth noting that there is an AfterBuild target that copies the output files to the out directory and renames them.

<Target Name="SignOutputs" AfterTargets="AfterBuild"
          Condition="$(Configuration) == 'Release'">
  <PropertyGroup>
    <FileToSign32>$(SolutionDir)out\AddIn.xll</FileToSign32>
    <FileToSign64>$(SolutionDir)out\AddIn64.xll</FileToSign64>
    <CertificateThumbprint>8ccfeae0....</CertificateThumbprint>
    <TimestampUrl>http://timestamp.digicert.com</TimestampUrl>
  </PropertyGroup>
  <SignFile CertificateThumbprint="$(CertificateThumbprint)" SigningTarget="$(FileToSign32)" TimestampUrl="$(TimestampUrl)" />
  <SignFile CertificateThumbprint="$(CertificateThumbprint)" SigningTarget="$(FileToSign64)" TimestampUrl="$(TimestampUrl)" />
</Target>

This correctly signs the output files. When you look at the digital signature of the files, it's all happy and good - "This digital signature is OK", etc. The certificate has another 3 years on it, so we're definitely in date.

Running signtool verify on it returns okay as well.

signtool verify /v /pa "AddIn.xll"

Verifying: AddIn.xll
Signature Index: 0 (Primary Signature)
Hash of file (sha256): Hash here

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: Hash here

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 13:00:00 2028
        SHA1 hash: Hash here

            Issued to: Us
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Wed Oct 09 13:00:00 2019
            SHA1 hash: Hash here

The signature is timestamped: Tue Oct 25 11:29:42 2016
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: Hash here

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 01:00:00 2021
        SHA1 hash: Hash here

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 01:00:00 2024
            SHA1 hash: Hash here

Successfully verified: AddIn.xll

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

I thought this meant it was all signed and happy. So I went ahead and ran this in Excel, and received a warning message:

Warning: The digital signature on this application add-in is invalid and cannot
be trusted. Application add-in is disabled.

Bemused, mythed and befuddled, I flailed around until I managed to stumble across Enable Trust Center logging. Then, I managed to find the Trust Center logs. For the AddIn, it has this entry. 

---
Content Type: Add-in DLL
Binary: "C:\development\out\AddIn.xll"
Certificate: Us
Certificate Signature: DigiCert SHA2 Assured ID Code Signing CA
Certificate Status: Tampered
Trust Center Decision: Block Content
User Decision: Block Content
Error Code: 80096001

80096001 according to MSDN apparently maps to this message: "A system-level error occurred while verifying trust".

That doesn't give me much to go on. I can't see anything obviously wrong, but it's possible I'm missing something.

Signing with signtool in the dev command prompt yields the same result.

I've just been running in circles on Google, and I'm starting to get to the point now where the results are offering me executables to fix the corrupted system files that cause this (spoiler: they're almost certainly malware). So I think I need some guidance.

How do I sign my XLL files without having them come up as "tampered"?

Craig Brett
  • 2,295
  • 1
  • 22
  • 27
  • Have you tried with a different certificate, e.g. a test one you make with MakeCert? – Govert Oct 26 '16 at 12:41
  • It might we worth searching on / positing to the Excel for Developers forum on MSDN: https://social.msdn.microsoft.com/Forums/office/en-US/home?forum=exceldev – Govert Oct 26 '16 at 12:42
  • @Govert: Thanks for your response. Interestingly, when I take the exact same steps but use a self-signed certificate, I get: "Certificate Status: Untrusted". Does this point to it being a problem with the certificate itself? Or is it just that it checks for trustedness (if that's a word) before it checks for tampering? – Craig Brett Oct 31 '16 at 11:43
  • I also went ahead and posted a question in the Excel for Developers forum, so hopefully I can get some help from there too. Cheers for the tip. – Craig Brett Oct 31 '16 at 14:50
  • I've not tried myself, but other users have asked about the signing, and I've never heard of the problem you have with the "Tampered" status (nor do I know whether it worked with a 'real' certificate). Maybe there is some issue particular to the signature algorithm? But I don't know why Office and the Windows tools have a different opinion of your certificate. – Govert Nov 01 '16 at 11:38
  • Could this story about having to sign with SHA1 before SHA2 perhaps be relevant? - https://successfulsoftware.net/2016/01/22/software-sha1-sha2-digital-certificates/ – Govert Mar 05 '17 at 19:09
  • Hey @CraigBrett, Firstly COYS :). Secondly, did you manage to resolve this issue? I've suffering with exactly the same symptoms: https://stackoverflow.com/q/47547387/57215 – MarkNS Nov 29 '17 at 08:59

0 Answers0