A digital signature on a file or Visual Basic for Applications (VBA) project is like a wax seal on an envelope — it confirms that the file originated from the entity who signed it and that the code in the file has not been altered by anyone else. In High or Medium security, a file signed by a trusted entity will be opened without any security warnings.
Microsoft Office 2003 uses Microsoft Authenticode technology to enable you to digitally sign (digital signature: An electronic, encryption-based, secure stamp of authentication on a macro or document. This signature confirms that the macro or document originated from the signer and has not been altered.) a file or VBA project by using a digital certificate (digital certificate: Attachment for a file, macro project, or e-mail message that vouches for authenticity, provides secure encryption, or supplies a verifiable signature. To digitally sign macro projects, you must install a digital certificate.). The certificate used to create this signature confirms that the macro originated from the signer, and the signature confirms that it has not been altered. When you set the macro security level, you can run macros based on whether they are digitally signed by a developer on your list of trusted sources.
Note that a digital signature does not apply to the entire database. It covers only those parts of the database that could be modified to do malicious things, such as VBA code, macros, action queries, SQL pass-through queries, data definition queries, the ODBC connection string in queries, and properties of ActiveX controls. If any of these are modified after you sign the file or VBA project, the digital signature will be removed, and the file will not open under Medium or High security.
Getting a digital certificate
You can obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., or from your internal security administrator or Information Technology (IT) professional. Or, you can create a digital signature yourself using the Selfcert.exe tool.
Note Because a digital certificate you create yourself isn't issued by a formal certification authority, VBA projects signed by using such a certificate are referred to as self-signed projects. Certificates you create yourself are considered unauthenticated and will generate a warning in the Security Warning box if the security level is set to High or Medium. Microsoft Office will only trust a self-signed certificate on a computer that has the private key for that certificate available (generally, only the computer that actually created the certificate, unless the private key is shared with other computers).
Commercial certification authorities
To obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., you or your organization must submit an application to that authority.
To learn more about certification authorities that offer services for Microsoft products, see the Microsoft TechNet Security Web site.
Depending on your status as a developer, you should apply for a Class 2 or Class 3 digital certificate for software publishers:
- A Class 2 digital certificate is designed for people who publish software as individuals. This class of digital certificate provides assurance as to the identity of the individual publisher.
- A Class 3 digital certificate is designed for companies and other organizations that publish software. This class of digital certificate provides greater assurance about the identity of the publishing organization. Class 3 digital certificates are designed to represent the level of assurance provided today by retail channels for software. An applicant for a Class 3 digital certificate must also meet a minimum financial stability level based on ratings from Dun & Bradstreet Financial Services.
When you receive your digital certificate, you are given instructions on how to install it on the computer you use to sign your Microsoft Office solutions.
Internal certification authorities
Some organizations and corporations might have a security administrator or group act as their own certification authority, and produce or distribute digital certificates by using tools such as Microsoft Certificate Server. Microsoft Certificate Server can function as a stand-alone certification authority or as part of an existing certification authority hierarchy. Depending on how Microsoft Office digital-signature features are used in your organization, you might be able to sign VBA projects by using a digital certificate from your organization's internal certification authority. Or, you might need to have an administrator sign VBA projects for you by using an approved certificate. For information about your organization's policy, contact your network administrator or IT department.
Here's a brief summary of when to create a specific type of digital certificate.
- If the file will be used by a single user, use SelfCert.exe.
- If the file will be used within an organization, use Windows Certificate Services.
- If the file will be distributed to various users and organizations, use third party certificates.
Signing your own files and VBA projects
When you digitally sign a VBA project, your digital signature says that you guarantee that the project is safe. Just as signed files remain signed until the file is modified, signed VBA projects remain signed until the macro code is altered.
Things to do before signing a file or VBA project
Verifying that the code contained in the file is reliable and harmless is an important part of preparing a file or project that you intend to sign. Review your code to make sure it does not do anything harmful, such as modify the registry, create or delete a file, or execute the Shell command.
Since expressions are not covered in the digital signature, it is important to verify that expressions aren’t harmful, and that the code behind functions that are called by expressions is safe. The following contain VBA code, and can be called from an expression:
- All functions in modules that are not explicitly Private functions
- All functions that are part of forms and reports
If you come across a function that could be used to cause damage, move the code to a place that cannot be accessed from an expression, such as:
- Private functions in modules
- Functions in class modules
Example See the source code included with the Access Developer Extensions for an example of VBA code that has been hidden from expressions. In this example, shared code that would traditionally be in a module is placed in a class module. To simplify accessing the shared code without having to instantiate the class everywhere, a global variable of the specific class type is created and instantiated. For example:
Public gclsShared As New clsShared
Then, call a function in the class module by using the global variable, such as gclsShared.<function_name>.
Important If a database signed with a trusted certificate contains code that can be repurposed by a hacker, the certificate cannot be trusted. This will lead to the revocation of the certificate, and prevents any file that used the certificate from being trusted. Note that users must have access to the Internet to find out about revoked certificates.
When do I add a digital signature?
Sign macros only after your solution has been tested and is ready for distribution. Here are a couple of reasons why you might want to postpone signing a database until it is ready for deployment.
- When you modify code in a signed VBA project, its digital signature is removed. However, if you have the proper digital certificate on your computer, the VBA project will automatically be re-signed when saved. But, each time Access attempts to re-sign a database, it might prompt you or request a password, depending on the security level associated with the digital certificate used for signing the database.
Using automation to open a database under Medium or High security
Each time you open an unsigned database under Medium or High security level, you will be prompted with a security warning. This can cause problems when you are using automation to open a database in a process that is not being monitored by a user, because the security warning requires user interaction. You can use the AutomationSecurity property to suppress the display of the warning message when opening a database by using automation. The following is an example of a Visual Basic script that uses the AutomationSecurity property to suppress the security warning when opening a database.
This technique should be used only if the database is in a location that cannot be modified by a virus or any unauthorized person. Opening databases that are on public network locations or shared directories on the local machine can be dangerous.
Const cDatabaseToOpen = "C:\<FileToOpen>.mdb"
On Error Resume Next
Set AcApp = CreateObject("Access.Application")
If Val(AcApp.Version) >= 11 Then
AcApp.AutomationSecurity = 1 ' msoAutomationSecurityLow
AcApp.Visible = True
If AcApp.CurrentProject.FullName <> "" Then
AcApp.UserControl = True
MsgBox "Failed to open '" & cDatabaseToOpen & "'."
Simply double-click the VBS file to open your database.
- Re-signing might also increase the size of the file, because Access compiles the VBA code before re-signing the database. Jet simply marks the old compiled VBA for deletion and then allocates space for the new compiled VBA code. The space used for the old compiled VBA code is not reclaimed until you compact and repair the database.
Compacting a signed database
If you make a lot of code changes to a signed database, you should frequently compact and repair the database to prevent the file from bloating.
The current recommendation is that you work under Medium security and do any significant database development in an unsigned database. Signing the database should be done as a final step before testing or deploying the database.
What do you do if you make changes to a signed file or VBA project?
When a digitally signed database is modified, Access automatically tries to re-sign the database. For most changes, Access will update the signature right after the change is made.
Note If you make changes to ActiveX control properties and switch to browse view without saving your changes, and then try to close Access, Access might not re-sign the database.
To successfully re-sign the database, Access requires that the certificate that was originally used to sign the database be installed on the current computer. If not, Access will remove the signature, notify the user, and leave the database in an unsigned state.
The certificate that is used to sign the database might have a certain security level associated with it. This security level might require that a prompt be displayed every time the certificate is used, or it might even require a password to be entered before using the certificate. This can help prevent a virus or an unauthorized person from modifying your file, and fraudulently signing it with your certificate.
Note You might find it too cumbersome to make design changes to a database that uses a certificate that prompts each it is used. So, when making changes to a database, consider either not signing it until it is ready for deployment, or using a certificate created using SelfCert.exe.
For more information about certificates and signatures, see Using digital certificates to produce trusted solutions.