Sign Excel macro projects with SignTool using KSP library
SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.
Follow these instructions to sign directly using SignTool and securely reference your private key stored in Software Trust Manager. Alternatively, integrate SignTool with Signing Manager Controller (SMCTL) for simplified signing.
Tip
SignTool does not support all characters in sign commands, review the following:
Supported characters:
@ % ( ) - _ = [ ] { } ;
Unsupported characters:
! # $ ^ & + ` '
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Prerequisites
Windows operating system
Download and install officesips (version 16.0.16507.43425)
Download and install Visual C++ 2010
Download and configure Software Trust Manager clients
Keypair alias
Download a copy of your certificate or use the certificate fingerprint
Set up macro signing
Once you install all required tools, open a command prompt in Administrator mode. Next, run the commands:
regsvr32.exe <complete path to msosip.dll>
regsvr32.exe <complete path to msosipx.dll>
If successful, you will see a message: “DIIRegister Server in <complete file path>
succeeded."
Sign
Use the SignTool present in the path C:\Program Files (x86)\Windows Kits\10\bin\<version>\x86
to sign Excel macros. To sign, use the command:
<Path_to_32_bit_signtool.exe> sign /csp "DigiCert Signing Manager KSP" /kc "KeyAlias" /f certname.crt /v /debug /fd SHA256 macroname.xlsm
Verify signature
To verify a file is signed, use the command:
<Path_to_32_bit_Signtool.exe> verify /pa macroname.xlsm