Digitally Signing a Word 2007 Document

Filed under Office, Security

I originally wrote about digital signatures in Office documents way back here, so check there for more information. But I just stumbled across something with Word 2007 and document signing (including signing templates) that had me scratching my head for a minute.

Word, in it’s shiny new 2007 skin, now has a nifty little feature to add a signature to a document (or template) right on the…um… what they hell you do call this button?

image

Anyway, under “Prepare”, you’ll see this:

image

The Add a Digital Signature lets you sign the document right there. Which is great.

Except for one thing.  That signature is not the same as this one:

image

The former actually signs the document, whereas the latter signs the VBA code contained in the document.

If you don’t believe me, sign a document using the Prepare menu item, then check the signature using the VBA/Tools/Digital Signature menu item. Then sigh and weep.

So, what does that matter, you ask?

Well, in terms of checking the validity of macro code in a document, from what I can tell so far, the signature on the document isn’t checked, only the signature on the VBA code. From a macro/VBA standpoint, signing the document is pretty useless.

I’m still hunting for a way to automate the signing of DOC and DOT files (such as the SIGNTOOL.EXE utility for signing DLL’s and EXE’s). That would make the whole process much more convenient, not to mention enabling it to be built into a normal build process.

3 Comments

  1. Ralf says:

    I’m still a bit fuzzy on why somebody would *want* to digitally sign an office document.

    Is authentication’s an issue? You receive something from a colleague and question whether they actually wrote it? Isn’t it simpler to ring them up or send them an email and ask?

    Worried your VBA macros might become infested with trojans? That’s what CRC’s are for.

    For the seriously paranoid, there’s PGP or any number of public-key systems you can use to authenticate data.

    So is this feature intended for the moderately paranoid? Is this meant to be authentication-for-the-masses?

  2. Darin says:

    Typically, at least for commercial Word "Add in" products, you’d usually sign your VBA code, not to "protect" it but rather to insure to the client (and for your support team’s sanity) to prove that the original code you deployed hasn’t been "customer enhanced" and subsequently broken.

    It also gives Office users the ability to "trust addin’s from a specific publisher" based on the signature, such that you can crank up the Office security, and not get that damn "this document contains VBA code, Do you want to enable it" prompt every time you load Word.

    The "document signature" on the other hand, I’m guessing is the "Office user convenient" version of PGP; just something that allows you to trace whether one of your docs has been altered by someone else, and the ability to prove it.

    I have no idea how its security compares with PGP, though.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*