Skip to main content

Sign Excel macro projects with SignTool using KSP library

SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.

Follow these instructions to sign directly using SignTool and securely reference your private key stored in Software Trust Manager. Alternatively, integrate SignTool with Signing Manager Controller (SMCTL) for simplified signing.

Tip

SignTool does not support all characters in sign commands, review the following:

  • Supported characters: @ % ( ) - _ = [ ] { } ;

  • Unsupported characters: ! # $ ^ & + ` '

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Prerequisites

Set up macro signing

Once you install all required tools, open a command prompt in Administrator mode. Next, run the commands:

regsvr32.exe <complete path to msosip.dll>
regsvr32.exe <complete path to msosipx.dll>
         

If successful, you will see a message: “DIIRegister Server in <complete file path> succeeded."

Sign

Use the SignTool present in the path C:\Program Files (x86)\Windows Kits\10\bin\<version>\x86 to sign Excel macros. To sign, use the command:

<Path_to_32_bit_signtool.exe> sign /csp "DigiCert Signing Manager KSP" /kc "KeyAlias" /f certname.crt /v /debug /fd SHA256 macroname.xlsm
         

Verify signature

To verify a file is signed, use the command:

<Path_to_32_bit_Signtool.exe> verify /pa macroname.xlsm