Page 2



First Published 8 Dec 2022                             Last Updated 12 June 2024                             Difficulty level : Moderate



Section Links: (this page)
          Introduction
          Background Info
          VBA Project Signing
          Testing Your Signed Project
          Download
          YouTube Video
          Summary
          Related Articles
          Acknowledgements
          Feedback



1.   Introduction                                                                                                                                        Return To Top

      This is a completely new feature that finally addresses an issue not available since ACCDB files were introduced 15 years ago with Access 2007
      Using it will also require a very different method for developers to prepare for the distribution of Access applications

      The new feature has been available to those on the Office Insiders update channels for Microsoft 365 for the last few months.

      However, as of 4 Jan 2023, it is now available to all users on the Current Channel starting with version 2212 build 15928.20198.
      See Release Notes for Current Channel

365ReleaseNote

      This article provides more detailed information explaining why the new feature has been introduced and how to use it in your own projects.

      In addition, see the Microsoft help article: Show trust by adding a digital signature



2.   Background Info                                                                                                                                Return To Top

      Code signing certificates are designed to confirm that project code is both trustworthy and that it has not been altered since it was distributed by the developer.
      These certificates can be purchased from various providers such as Sectigo and Verisign or can sometimes be obtained more cheaply from resellers such as kSign.

      Their use is intended as an indication that an application originates from a reputable source and is safe to run.

      I have for many years used a code signing certificate when distributing my commercial apps via my website.
      I use a professional installer package to create an EXE file containing all files required and then sign the EXE file.
      Over a period of time, use of a certificate reduces or eliminates the smart screen warnings for files downloaded from the Internet as the developer gains 'trust'

      Unfortunately it has never been possible to sign the actual ACCDB / ACCDE files . . . UNTIL NOW!

      Those who have been developing in Access for many years may be aware that with the old MDB file format, it has always been possible to sign your projects with a
      code signing certificate. However, the ability to use a certificate was removed when the ACCDB file format was introduced with Access 2007

      This was an important amd strange omission. Excel files using the 'new' .xlsm macro enabled format have included code signing as a feature for many years.
      Finally, and only 15 years later(!), this omission has finally been addressed in Access

      Until now, the standard process for Access developers / users has been to ensure files are installed to a trusted location.
      In fact for many of the apps I distribute, the location is set as trusted as part of the installation process.
      This means the application works immediately with no additional action required by end users.

      However, in an untrusted location, depending on your 'Macro Settings' in the Trust Center, VBA code cannot run

MacroSettings2
      NOTE:
      In Access, the phrase 'Macro Settings' is misleading as it is mainly referring to VBA code

      If you use the default macro setting, disable all macros with notification (as shown above), a yellow security banner is displayed if the location or application
      isn't trusted.

EnableContent
      Clicking the Enable Content button makes the 'document' trusted for the current session only and code can then run. This is both simple and quick to do

      Alternatively, either the document or the location can be trusted. See my article: Is Location Trusted . . . and does it matter?

      However, there are some important disadvantages to both the Trusted Location and Trusted Document approaches:
      a)   If the file is an ACCDB or MDB file, it is possible for someone to alter the file after it has been distributed.
            This means that malicious code could be added. If the location or document is trusted, the code will still run

            This is one important reason for distributing applications as ACCDE / MDE files where the code is fully compiled and cannot be viewed or altered

            Nevertheless, end users are still able to create/edit/delete database objects such as action queries in ACCDE or MDE files.
            This security weakness means that potentially harmful changes can be made to the database after distribution.

      b)   Applications running from an untrusted location take much longer to load and code runs far more slowly.
            If you have complex code this effect can be very noticeable such that performance is badly affected.


      This particular issue was brought to my attention by Aleksander Wojtasz, an experienced Access developer from Poland.
      Aleksander has some very impressive Access applications involving the use of drag & drop with Gantt charts . See his YouTube channel.

      Aleksander also provided sample code to demonstrate the issue which I have adapted (with his permission) for use in the example app supplied with this article.

      These are the results I obtained with the example app:

        Trusted Location

MS2TrustedLocation
        Untrusted Location

MS2UntrustedLocation


      The code ran in about 32 milliseconds from a trusted location but took about 740 milliseconds from an untrusted location. That is about 23x slower!

      I also discussed this issue in detail in my earlier article: Is Location Trusted . . . and does it matter?

      The reason for this slowdown is that code running from an untrusted location is first checked by the Antimalware Scan Interface (AMSI)
      The AMSI check runs not just the first time the code is used but EVERY time it is used.

      Whilst this is being done for security reasons, the outcome for end users can be applications that perform badly
      For further details about AMSI, see Office VBA + AMSI: Parting the veil on malicious macros - Microsoft Security Blog

      By contrast, code from trusted locations is deemed to be safe so the AMSI feature is bypassed
      For supposed security reasons, many organisations prevent users saving their apps to the default trusted location.
      In some cases, they also prevent users adding their own trusted locations from which to run their Office apps such as Access files.

      These restrictions are too often imposed for questionable reasons.
      One significant side effect of this is that some users will then alter their Macro settings in the Trust Center to allow all macros to run.

      This is definitely NOT recommended as it allows potentially dangerous code to run

MacroSettings4
      Perhaps surprisingly, if code is run from an untrusted location with that macro setting, the code still runs slowly as the AMSI check still runs!

      A better solution is clearly needed. This is what VBA project signing is designed to address.



3.   VBA Project Signing       (UPDATED 12 June 2024)                                                                        Return To Top

      From version 2212 onwards, this feature has been available to all Office 365 users on the Current Channel

      This Microsoft article Malicious macros were found explicitly states that the AMSI scan does not occur when a file is in a trusted location, or when the
      VBA 'macros' are signed with a code signing certificate.

      To use the new feature with apps that you distribute, you will first need to purchase a code signing certificate from a reputable supplier such as Verisign or Sectigo.

      NOTE:
      Code signing certificates are expensive to purchase and are only made available to those certified as reputable developers.
      You will therefore need to go through a series of security checks before the certificate is issued.
      From personal experience, it may take several weeks for validation checks to be completed, at least on the first occasion.

      Until recently, once the certificate was issued, it could only be applied on the workstation where it was installed.

      However, from 1 June 2023 onwards, new regulations apply when purchasing code signing certificates.

      The changes mean that private keys must now be stored on secure hardware that meets specific security benchmarks.
      In most cases, this means code signing certificates are only available on 'secure tokens' such as secure USB sticks.
      Supposedly, this is to prevent the risk of certificates 'falling into the wrong hands'.
      However, inevitably, the new regulations have significantly increased the cost of purchasing certificates.

      One clear benefit of the new system is that the certificate is now portable. It is no longer saved to a certificate store on a specific workstation.
      The 'secure token' USB stick can be easily moved to another workstation which simplifies code signing of e.g. 32-bit & 64-bit ACCDE files.
      However, any code changes will invalidate the certificate if the secure token is not currently plugged into your development machine(s)

      Associated with this, you will need to download and install specialist software which will check for the existence of a valid certificate.
      For this purpose, I use the free SafeNet Authentication Client app as recommended by my certificate provider.

SafeNet Authentication Client
      Alternatively, at least one certificate provider offers a service where you upload applications to be code signed by the provider and returned to you.

      IMPORTANT:
      The new regulations do not in any way affect the functionality as far as end users are concerned.
      As long as the code isn't changed, purchased certificates remain valid when your apps are run from other workstations e.g. on clients' machines.

      However, even if you do not have a valid certificate, you can still test the new code signing feature by creating a self certificate.
      Self certificates are for test purposes ONLY. They are only valid on the machine where they were created. They are of no use when distributing apps to clients

      To do so, you need to run the SELFCERT.exe application. This is located in your Office folder:

Office365Folder
      Run the SELFCERT app, enter a name for your test certificate and click OK

SelfCert
      You should then see a message that your self certificate has been successfully created

      NOTE: Signed projects are intended for use with Macro Setting 3 - disable all except digitally signed macros

MacroSettings3
      You should change to that setting now before code signing your project

      Now move your app to an untrusted location. The code will NOT run as it has not been signed. There is NO warning message with this setting

      You can now move your app back to a trusted location.

      Next you need to apply the certificate (purchased or self-cert) to your Access application. This only takes a few seconds to do.

      Open the Visual Basic Editor (VBE) and click Tools then Digital Signature

DigSig1

      The Digital Signature window opens. If you have a valid certificate, it will be shown under Sign As. Click the Choose button
      The Windows Security window opens with your certificate details

DigSig2

      If you have more than one valid certificate, click More Choices to see all your certificates
      Purchased certificates appear at the top with self certificates below

DigSig3
      Select a certificate and click OK

DigSig4

      The Digital Signature window re-appears showing the project has been signed

DigSig5

      NOTE:
      a)   When a signed project is downloaded from a website or email, it is automatically trusted. You will not need to unblock the file to remove the 'mark of the web'

      b)   When a signed ACCDB project is saved as an ACCDE file, this will invalidate the signature as the file structure has been changed
            This warning message will be displayed:

MustResignMsg
            Make sure you sign the ACCDE file before distributing it to end users!

      c)   If you have an older version of Access or are on one of the Office 365 Enterprise channels (Monthly or Semi-Annual), you will instead see this message
            (until the feature is released more widely in the near future)

CannotSaveDigSig
            Now close your project without making any changes to the code or it will invalidate the digital signature!

            Do NOT click the Save button in the VBE or it will also disable the signature

      d)   When code changes are made in a signed project, Access checks whether the code signing certificate is available on that workstation.
            If so, it will automatically reinstate the digital signature.
            However, any code changes made on a different workstation will invalidate the digital signature.

            You are now ready to test your signed project



4.   Testing Your Signed Project                                                                                                                                 Return To Top

      First run the app from the trusted location. It runs as normal

      Now move the app back to an untrusted location.
      The first time you use your certificate, the Enable Content security banner will again appear.

EnableContent
      Click on the text to the left of the Enable Content button then click on the Enable Content dropdown.

EnableContentOptions

      Select Advanced Options and click Always trust content from this publisher

TrustPublisher

      NOTE:
      a)   With an unsigned project, the final option isn't available

AdvancedOptions

      b)   Once you have trusted the publisher, it will appear in the list of Trusted Publishers in the Trust Center

TrustedPublishers

      c)   When a client runs one of your signed applications for the first time, a message similar to this will be displayed:

TrustPublisherACCDE
      Clicking the Trust all from publisher button will allow all signed apps from that publisher to run without further issues

      Code can now be run successfully and end users should find no measurable speed difference compared to running it from a trusted location
      These are the results I obtained with the example app:

        Trusted Location

MS2TrustedLocationWithCert
        Untrusted Location

MS2UntrustedLocationWithCert


      The VBA Project signing feature has been designed so that any changes to code or certain database elements will invalidate the digital signature.

      This isn't an issue for the application developer. If the certificate is available on the development machine it will automatically be re-applied as explained above

      However, the outcome is different for end users who will not have the certificate on their machine.
      Test the effect by moving your application to a different workstation or a virtual machine running Access 365 version 2212 or later.

      Now make a small code change e.g. add a blank line or a comment and click Save in the VBE
      This results in a warning message being displayed in the status bar:

      Modifications to the database or project have invalidated the associated digital signature.

      In addition, just before you close the app, this warning message appears

InvalidatedCert
      The next time you reopen the app, the Enable Content security banner re-appears

      Similar behaviour occurs if users make changes to the design of action queries as that may affect the data integrity.
      The idea is end users cannot modify a signed database by, for example, replacing a select query with a delete query that deletes things it shouldn’t, then pass on the
      database with the signature intact.

      As a result, changing the DESIGN of action queries will invalidate the signature preventing code running.

      This feature therefore addresses one important security issue with both ACCDB and ACCDE files that I wrote about in my earlier article:
      Adding Security to Access Databases - A Wish List

      NOTE:
      a)   End users will of course still be able to RUN action queries included in the signed database by the developer without invalidating the certificate

      b)   When I tested the feature by modifying an update query, I didn't see any warnings that this would invalidate the signature.
            When I next opened the database, there were no security warnings but the code no longer ran.
            Whilst this feature does work as intended, in my opinion, end users won't understand why the database that was running fine previously is no longer working.


      The effect of all this additional security means that after making code changes or changes to action queries, you will need to re-apply the certificate before the
      updated app is distributed to end users

      Finally, if you change Macro Settings whilst in an untrusted location, you may see this Blocked Content security banner instead:

MS3BlockedContent

      Clicking the Learn More button opens this help article: Trusted document settings have changed



5.   Download                                                                                                                               Return To Top

      Click to download the example app which you can use for testing. Two versions are available - UNSIGNED and SIGNED

          Code Signing Test Database - UNSIGNED      Approx 1.8 MB (zipped)

          Code Signing Test Database - SIGNED      Approx 1.8 MB (zipped) - see note below

      NOTE:
      a)   The SIGNED version of the project will automaticaally be TRUSTED when it is downloaded

            However the UNSIGNED version will need to be UNBLOCKED to remove the 'mark of the web'.
            For more details, see my article: Unblock downloaded files by removing the Mark of the Web

      b)   The code signing certificate supplied with the SIGNED version will have no effect in older Access versions or if you are still on an earlier version of the
            Semi-Annual Office 365 Enterprise channel prior to version 2212. In such cases, Access will report both apps as having no certificate

      c)   Code signing certificates are NOT transferable to another developer. You will NOT be able to apply my code certificate to your own applications.



6.   YouTube Video                                                                                                                      Return To Top

      I have created a YouTube video for my Isladogs on Access channel demonstrating the use of the new VBA Project Signing feature.

      This is now available at: https://youtu.be/c5rnlcafBjM or you can click below:

       


      If you subscribe to my Isladogs on Access channel on YouTube, you will be notified whenever new videos are released.



7.   Summary                                                                                                                                Return To Top

     The new VBA project signing feature adds additional functionality for those who need it, but it is significantly more complex to use . . . at least initially.

      Other methods of trusting code such as trusted locations will continue to work and may remain the preferred solution for many developers.

      Here is a brief summary of the different approaches available to developers and end users:

      Enable Content
      •   Allows code to run for the current session only. The button will need to be clicked each time the app is run
      •   Easy to implement. No protection against changes made by unauthorised users.

      Trusted Document
      •   Allows code to run each time the app is opened but the AMSI scan will run causing code to run more slowly
      •   Easy to implement
      •   Code still runs even if changes have been made. No protection against changes made by unauthorised users.

      Trusted Location
      •   Allows code to run each time the app is opened from that location. The AMSI scan will not run so code runs faster
      •   Easy to implement
      •   Code still runs even if changes have been made. No protection against changes made by unauthorised users.

      VBA project signing
      •   Expensive. Code signing certificate must be purchased
      •   More complex to implement
      •   The signature is invalidated if any changes are made to the code or certain objects such as action queries so the code cannot run
      •   Does not work in older versions of Access where code certificates are not available


      UPDATE 14 Dec 2022
      The second page of this article will be used to follow up any questions arising from this article or the YouTube presentation



8.   Related Article                                                                                                                      Return To Top

      Is Location Trusted . . . and does it matter?



9.   Acknowledgements                                                                                                              Return To Top

      Many thanks to Sachin Arunkumar for all his hard work in developing this new feature for the Access team.
      Also thanks to both Sachin and Shane Groff for responding so promptly to my questions and feedback about the VBA project signing feature. Much appreciated.



10.   Feedback                                                                                                                                Return To Top

      Please use the contact form below to let me know whether you found this article useful or if you have any questions.

      Do let me know if there are any errors or omissions

      Please also consider making a donation towards the costs of maintaining this website. Thank you



Colin Riddington                 Mendip Data Systems                 Last Updated 12 June 2024



Return to Access Articles Page Page 1 of 2 1 2 Return to Top