Sign Excel macro projects with SignTool using KSP library
SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.
Follow these instructions to sign directly using SignTool and securely reference your private key stored in DigiCert® KeyLocker. Alternatively, integrate SignTool with Signing Manager Controller (SMCTL) for simplified signing.
Tip
SignTool does not support all characters in sign commands, review the following:
Supported characters:
@ % ( ) - _ = [ ] { } ;Unsupported characters:
! # $ ^ & + ` '
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Prerequisites
Windows operating system
Download and install Microsoft Office Subject Interface Packages (Office SIPs) version 16.0.16507.43425
Tip
For Excel macro signing, the 32-bit Office SIPs are required, even on 64-bit Windows systems.
You may install both 64-bit and 32-bit Office SIPs, but the 32-bit version must be present for the steps in this document.
If you install only one version, install the 32-bit Office SIPs.
Download and install Visual C++ 2010
Download and configure DigiCert® KeyLocker clients
Set up macro signing
Once you install all required tools, open a Command Prompt in Administrator mode.
The Office SIP installer includes the following DLLs:
msosip.dll
msosipx.dll
These DLLs are installed in the directory you selected during the Office SIP installation.
Tip
Use the 32-bit versions of msosip.dll and msosipx.dll.
If you installed both 64-bit and 32-bit Office SIPs, ensure the paths below reference the 32-bit installation directory.
To register the Office SIPs with Windows, run:
regsvr32.exe <complete path to msosip.dll>
regsvr32.exe <complete path to msosipx.dll> If successful, you will see the message: DllRegisterServer in <complete file path> succeeded.
Sign
Use the 32-bit version of SignTool located at: C:\Program Files (x86)\Windows Kits\10\bin\<version>\x86
To sign, use the command:
<Path_to_32_bit_signtool.exe> sign /csp "DigiCert Signing Manager KSP" /kc "<keypair alias>" /f certname.crt /v /debug /fd SHA256 macroname.xlsm
Tip
"DigiCert Signing Manager KSP"must remain exactly as shown and must not be changed."<keypair alias>"must be replaced with the actual alias of your keypair.Signing will fail if the keypair alias does not match an available private key in your DigiCert® KeyLocker account.
Verify signature
To verify a file is signed, use the command:
<Path_to_32_bit_Signtool.exe> verify /pa macroname.xlsm
Common errors and solutions for signing excel macro projects with SignTool
"This file format cannot be signed because it is not recognized"
Error
"This file format cannot be signed because it is not recognized"
Cause
Office SIPs are missing, incorrectly registered, or the 64-bit DLLs were used instead of the required 32-bit versions.
Solution
Ensure that the 32-bit Microsoft Office SIPs are installed.
Register the 32-bit versions of the Office SIP DLLs by running the following commands from an Administrator command prompt:
regsvr32.exe <complete path to 32-bit msosip.dll> regsvr32.exe <complete path to 32-bit msosipx.dll>
Retry the signing operation.
"No private key is available"
Error
"No private key is available"
Cause
The keypair alias specified in the SignTool command does not match the keypair alias in your DigiCert® KeyLocker account.
Solution
Verify the keypair alias in your DigiCert® KeyLocker account.
Update the SignTool command to use the exact matching keypair alias.
Retry the signing operation.