如何通过带有时间戳的Excel 2016签名XLA? [英] How do I sign an XLA from Excel 2016 with a timestamp?
问题描述
我正在努力从带有时间戳的Excel 2016 中签署XLA。这很重要,因为如果没有时间戳,则当使用的代码签名证书过期时,签名将变得无效。不幸的是,默认情况下,默认情况下,Excel不会将时间戳应用于签名。
Microsoft的文档(
- 根据提示单击以获取更多详细信息,然后选择 启用内容菜单中的高级选项。
- 在 Microsoft Office安全选项对话框中,向下滚动到已签名的加载项,然后单击 显示签名详细信息 。这会打开数字签名详细信息对话框,其中显示签名时间:
不可用
,表明缺少时间戳:
我的理解是带有时间戳的签名将在此处显示,例如
...,但是我无法通过XLA来实现。
根据您的)
更多信息:
- Wikipedia: 受信任的时间戳:创建时间戳
- Office.com: 添加或删除数字签名Office文件中确实存在
- MSDN: SignTool (Windows)
- MSDN: 密码学工具:代码签名简介
I am struggling to sign an XLA from Excel 2016 with a timestamp. This is important, because without a timestamp the signature becomes invalid when the code signing certificate used expires. Unfortunately by default Excel does not apply a timestamp to the signature.
Microsoft's documentation (https://docs.microsoft.com/en-us/deployoffice/security/use-digital-signatures-with-office) states:
To use the time stamp functionality with digital signatures, you must complete the following tasks:
Set up a time stamp server that is compliant with RFC 3161
Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.
My certificate issuer, Comodo, states that their time stamping server (http://timestamp.comodoca.com
) supports RFC 3161 (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server).
I downloaded and installed the Office 2016 Administrative Template files (ADMX/ADML) from https://go.microsoft.com/fwlink/p/?LinkID=626001 in order to apply group policy settings. In the Local Group Policy Editor, I can then access User Configuration, Administrative Templates, Microsoft Office 2016, Security Settings, Digital Signatures where the relevant group policy settings are found.
I initially set the following:
- Specify timestamp server name to
http://timestamp.comodoca.com
- Set timestamp server timeout to
20
... then when these didn't work (see below), I also set:
- Specify minimum XAdES level for digital signature generation to
XAdES-T
- Requested XAdES level for signature generation to
XAdES-T
... because XAdES-T "Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration" - which sounds like what I need.
I am signing in the VBA Editor using Digital Signature from the Tools menu.
However, when I check the signature, I still see no timestamp.
I am checking the signature as follows (I'm not aware of a simpler way):
In the Developer ribbon, click Macro Security, select Add-ins, then check Require Application Add-ins to be signed by Trusted Publisher. Click OK, then close Excel. (I'm not a trusted publisher, so I am intentionally causing my add-in to be disabled.)
Restart Excel, and create an empty workbook. (My add-in is configured to be loaded automatically.) A SECURITY WARNING is shown due to step 1.
- Click for more details as prompted, then choose Advanced Options from the Enable Content menu.
- In the Microsoft Office Security Options dialog, scroll down to the add-in which was signed and click Show Signature Details. This opens the Digital Signature Details dialog which shows Signing time:
Not available
, indicating the lack of a timestamp:
My understanding is that a signature with a timestamp will show it here, e.g.
... but I have been unable to achieve this with my XLA.
According to your timestamp server's documentation:
RFC 3161 timestamping is used by SignTool (using the
/tr
parameter) and other applications (such as jarsigner).Our time stamping server (
http://timestamp.comodoca.com
) automatically selects the appropriate signature algorithm (RSA/SHA-1
,RSA/SHA-256
orRSA/SHA-384
) with which to sign each timestamp, based on the hash algorithm you specify (e.g. via SignTool's/td
parameter).
More Information:
- Wikipedia : Trusted Timestamping: Creating a timestamp
- Office.com : Add or remove a digital signature in Office files
- MSDN: SignTool (Windows)
- MSDN: Cryptography Tools: Introduction to Code Signing
这篇关于如何通过带有时间戳的Excel 2016签名XLA?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!