How to Digitally Sign a Macro for Excel Using a Code Signing Certificate
Home » How to Digitally Sign a Macro for Excel Using a Code Signing Certificate
(7 votes, average: 5.00 out of 5)
VBA macro-based malware is making a surprising comeback. The Bumblebee malware loader targets U.S. businesses with macro-laced Word files. Learn how to protect your legit Excel docs from being used by cybercriminals.
Macros are simple sets of instructions in Visual Basic for Applications (VBA) language that can be embedded in Excel and other Microsoft Office desktop programs. They save time by automating just about any repetitive task. They’re dead easy to create and can be used to automatically launch files, format cells, or manipulate data in:
While this is a great way to increase productivity, there’s a catch: Macros make fantastic attack vectors. Combine them with email, and you get an explosive mix. Cybercriminals can easily manipulate your macros to embed malicious code into legitimate-looking Microsoft Office files and send them as attachments in phishing emails. When the victim opens the file and enables the macro, it triggers a series of actions that, ultimately, execute malicious code.
Want to protect your company’s reputation and customers from this common threat? This is where knowing how to digitally sign your Excel macro file(s) can help. When you add a digital signature to your Excel macros, you’re proving that your macros are authentic and haven’t been modified. Explore how to digitally sign a macro for Excel and how to verify its digital signature.
Save Up to 27% on a Standard Code Signing Certificate
Assert your organization’s verified digital identity to increase trust in your software and updates. Boost your sales and download rates for as little as $195.00/year (with a 3-year certificate).
Double-click on the .exe file and accept the license agreement. Choose an installation folder where to extract it. Click Save.
Open a command line (cmd) prompt as administrator. Type “cmd” in the Windows search box. Under Command Prompt select Run as administrator.
Typethe following command beforehitting Enter: regsvr32.exe Yourpathto msosip.dll. A pop-up will appear, confirming that the msosip.dll file (included in the package downloaded in step one) has installed successfully. (Tip: Be sure to replace “YourPathTo” with the location where you saved the extracted files.)
Repeat step 2 with one caveat. Replace “msosip.dll” with “msosipx.dll” to install the second library using the following command: regsvr32.exe yourpathto msosipx.dll
Download the Microsoft Visual C++ Redistributable 2010 (X86) version. Be sure to download exactly that version, as some of the code you’ll need to sign macros isn’t included in other versions. If you don’t, SignTool won’t recognize the file and will likely give you an error message. Tip: To access the website, you’ll need to enter your Microsoft credentials. You can use your existing username and password for any Microsoft service or create new ones for free.
Install the software onto your device. Double-click on the installer, accept the terms and conditions and hit Finish to install.
Ready? Let’s Get to Signing…
Great job! Now, it’s time to start signing. In this tutorial, we’ll digitally sign a macro in Excel using the following:
Save Up to 27% on a Standard Code Signing Certificate
Assert your organization’s verified digital identity to increase trust in your software and updates. Boost your sales and download rates for as little as $195.00/year (with a 3-year certificate).
We’ll show you two ways to do digitally sign your Excel macros: first, in the command line using Microsoft SignTool, and then directly in Excel. Both processes will sign and timestamp your Excel macro. Check them out and pick the method you prefer.
Method #1: Digitally Sign (and Timestamp) Your Excel Macro With SignTool and CMD
If you’re a fan of the Windows command prompt (cmd), this is the process for you.
1. Insert Your Secure Hardware Token
Do it always before opening the cmd. It’ll ensure your token is correctly recognized by SignTool.exe.
2. Open a Command Prompt as Admin
Remember? You’ve learned how to do it in step two in the one-time operations section.
cd C:\Program Files (x86)\Windows Kits\10\bin\YourSDKVersion\x86
Tip: The .dll files we’ve downloaded are 32-bit files. That’s why we’ve used the 32-bit version (x86) of SDK/SignTool, and you’ll need to do the same.
If you’ve installed SDK in another directory, use cd C:\ and add the correct file path.
4. Digitally Sign Your Excel Macro and Timestamp It
Copy and paste the SignTool signing command below. Replace the parts in bold with the information related to your timestamp server authority (TSA) and file containing the macro:
Method #2: Digitally Sign Your Macro Directly in Excel
Would you rather use a more user-friendly interface? Digitally sign your macro directly in Excel. Beware, though, that this method has its limitations. For example, you’ll still have to use the cmd and SignTool to add a timestamp. If you don’t add a timestamp, your signature will be invalid when your code signing certificate expires.
You could also add a timestamp by editing your device’s registry. However, we don’t recommend it. Even a small mistake or typo might severely damage your system. So, here are the steps to follow to sign your macro.
1. Open the Excel File
Open the Excel file containing the macro you’re planning to sign.
2. Insert Your Hardware Token
Plug your hardware token into your device.
3. Open the Visual Basic Editor
Click on the Developer tab and, in the Code section, select the Visual Basic icon. The Visual Basic (VB) editor will open.
Tip: Can’t find the Developer tab? Click the File tab and go to Options. Click Customize Ribbon and, under Customize the Ribbon, select Developer. Hit OK.
4. Start the Digital Signature Process
In the VB editor, click Tools and Digital Signature. A new window will open.
5. Choose the Code Signing Certificate
In the editor, click on Choose.
A new box will display the digital certificate linked to the private key saved on the USB token. Here, you’ll select the certificate and click OK.
6. Apply the Signature and Save Your Excel File
The code signing certificate name will appear on the pop-up window, as shown below:
Image caption: The VB editor confirms the certificate chosen for the signature.
If the correct certificate is selected, click OK again. Close the Visual Basic editor and save the Excel file. At the prompt, type your code signing certificate password.
This is how it should look:
The magic is done. Congratulations! You’ve just signed your first Excel macro. You won’t get any official confirmation message, but don’t worry. In a moment, we’ll walk through how to verify your Excel macro digital signature, too.
Tip: Replace the details in the script with your CA’s timestamp server and the path to your Excel file.
Verify Your Excel Macro Digital Signature
Let’s check that the Excel macro digital signature has been applied correctly.
1. Open a Command Prompt as Administrator and go to the SignTool Directory
Follow the same instructions described in steps two and three of the first signing method listed in this article.
Tip: If you aren’t already logged into your workstation as admin, you’ll be required to enter your admin password.
2. Verify the Excel Macro Digital Signature Applied
Copy and paste SignTool’s verify command (signtool verify /pa “c:\filepath\MyExcelFileWithMacroSigned.xlsm) and hit enter. As usual, be sure to type the correct path to your Excel file.
If you see something akin to the example below, congratulations! This verification message means you’ve digitally signed your Excel macro correctly.
Tip: Want to view even more details about the signature (e.g., the certificate’s chain of trust and more information about the timestamp)? Go “verbose” and use this command instead: signtool verify /pa /v “c:\filepath\MyExcelFileWithMacroSigned.xlsm”
Here is what we got when we used it to verify our signature.That’s a lot of interesting information, right?
What Happens When You Digitally Sign Your Macros in Excel
Since January 2022, macros have been disabled by default in Microsoft Office due to security concerns. Adding a digital signature to your Excel macros takes security a step further as it:
Proves to the world that your macros are authentic and haven’t been tampered with since you’ve signed them,
Reassures users by fostering digital trust in your brand and products, and
Shields your legitimate Excel macros from being used in phishing attacks, thereby protecting your employees and other software users.
AnyDesk learned the lesson the hard way a few months ago what happens when your keys aren’t as secure. Cybercriminals stole code signing keys and source code during an attack on the company’s production servers. As a result, they had to revoke all certificates, issue software updates signed with new code signing certificates, and reset all customers’ passwords.
If this wasn’t enough, a few days later Resecurity discovered over 18,000 AnyDesk customer credentials up for sale in the dark web.
Wondering what FIPS 140 Level 2 hardware is and what it does? Find it out in this video:
Excel Macro Digital Signature: How It Works in Less Than 35 Seconds
The code signing certificate containing info about your verified digital identity and public key as the signer are bundled and attached to the macro file.
The digital signature confirms to your Excel users that the macro (and the Excel file) is coming from you (i.e., authenticity) and that it hasn’t been modified by an unauthorized third party (i.e., code integrity). Discover the ins and outs of code signing and the risks of publishing unsigned code in our linked detailed articles.
The short video below gives a straightforward explanation of how digital signatures work behind the scenes (a concept that also applies to code and macro signing).
Final Thoughts About How to Digitally Sign a Macro for Excel
Regardless of which approach you take, when you digitally sign your macros for Excel, you add a layer of security to your document and to the data in it. As a result, your organization will be protected from unauthorized modifications of the macro files, and your users will be able to enjoy the benefits of using them without fear of being infected by malware.
The signing process is simple. Purchase a code signing certificate, install the signing software, and you’re good to go. Besides, did you know that you can use the same certificate to sign (and secure) several other files and software? From drivers to C# code, executables, and application manifests.
Don’t compromise on security. Get your code signing certificate, pick an application, and start signing it now.
Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
Contact details collected by CodeSigningStore.com may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.