First Published 8 Dec 2022 Last Updated 5 Dec 2023 Difficulty level : Moderate
Section Links: (this page)
Introduction
Background Info
VBA Project Signing
Testing Your Signed Project
Download
YouTube Video
Summary
Related Articles
Acknowledgements
Feedback
1. Introduction Return To Top
This is a completely new feature that finally addresses an issue not available since ACCDB files were introduced 15 years ago with Access 2007
Using it will also require a very different method for developers to prepare for the distribution of Access applications
The new feature has been available to those on the Office Insiders update channels for Microsoft 365 for the last few months.
However, as of 4 Jan 2023, it is now available to all users on the Current Channel starting with version 2212 build 15928.20198.
See Release Notes for Current Channel
This article provides more detailed information explaining why the new feature has been introduced and how to use it in your own projects.
In addition, see the Microsoft help article: Show trust by adding a digital signature
2. Background Info Return To Top
Code signing certificates are designed to confirm that project code is both trustworthy and that it has not been altered since it was distributed by the developer.
These certificates can be purchased from various providers such as Sectigo and Verisign or can sometimes be obtained more cheaply from resellers such as kSign.
Their use is intended as an indication that an application originates from a reputable source and is safe to run.
I have for many years used a code signing certificate when distributing my commercial apps via my website.
I use a professional installer package to create an EXE file containing all files required and then sign the EXE file.
Over a period of time, use of a certificate reduces or eliminates the smart screen warnings for files downloaded from the Internet as the developer gains 'trust'
Unfortunately it has never been possible to sign the actual ACCDB / ACCDE files . . . UNTIL NOW!
Those who have been developing in Access for many years may be aware that with the old MDB file format, it has always been possible to sign your projects with a
code signing certificate. However, the ability to use a certificate was removed when the ACCDB file format was introduced with Access 2007
This was an important amd strange omission. Excel files using the 'new' .xlsm macro enabled format have included code signing as a feature for many years.
Finally, and only 15 years later(!), this omission has finally been addressed in Access
Until now, the standard process for Access developers / users has been to ensure files are installed to a trusted location.
In fact for many of the apps I distribute, the location is set as trusted as part of the installation process.
This means the application works immediately with no additional action required by end users.
However, in an untrusted location, depending on your 'Macro Settings' in the Trust Center, VBA code cannot run
NOTE:
In Access, the phrase 'Macro Settings' is misleading as it is mainly referring to VBA code
If you use the default macro setting, disable all macros with notification (as shown above), a yellow security banner is displayed if the location or application
isn't trusted.
Clicking the Enable Content button makes the 'document' trusted for the current session only and code can then run. This is both simple and quick to do
Alternatively, either the document or the location can be trusted. See my article: Is Location Trusted . . . and does it matter?
However, there are some important disadvantages to both the Trusted Location and Trusted Document approaches:
a) If the file is an ACCDB or MDB file, it is possible for someone to alter the file after it has been distributed.
This means that malicious code could be added. If the location or document is trusted, the code will still run
This is one important reason for distributing applications as ACCDE / MDE files where the code is fully compiled and cannot be viewed or altered
Nevertheless, end users are still able to create/edit/delete database objects such as action queries in ACCDE or MDE files.
This security weakness means that potentially harmful changes can be made to the database after distribution.
b) Applications running from an untrusted location take much longer to load and code runs far more slowly.
If you have complex code this effect can be very noticeable such that performance is badly affected.
This particular issue was brought to my attention by Aleksander Wojtasz, an experienced Access developer from Poland.
Aleksander has some very impressive Access applications involving the use of drag & drop with Gantt charts
. See his YouTube channel.
Aleksander also provided sample code to demonstrate the issue which I have adapted (with his permission) for use in the example app supplied with this article.
These are the results I obtained with the example app:
Trusted Location
|
Untrusted Location
|
The code ran in about 32 milliseconds from a trusted location but took about 740 milliseconds from an untrusted location. That is about 23x slower!
I also discussed this issue in detail in my earlier article: Is Location Trusted . . . and does it matter?
The reason for this slowdown is that code running from an untrusted location is first checked by the Antimalware Scan Interface (AMSI)
The AMSI check runs not just the first time the code is used but EVERY time it is used.
Whilst this is being done for security reasons, the outcome for end users can be applications that perform badly
For further details about AMSI, see Office VBA + AMSI: Parting the veil on malicious macros - Microsoft Security Blog
By contrast, code from trusted locations is deemed to be safe so the AMSI feature is bypassed
For supposed security reasons, many organisations prevent users saving their apps to the default trusted location.
In some cases, they also prevent users adding their own trusted locations from which to run their Office apps such as Access files.
These restrictions are too often imposed for questionable reasons.
One significant side effect of this is that some users will then alter their Macro settings in the Trust Center to allow all macros to run.
This is definitely NOT recommended as it allows potentially dangerous code to run
Perhaps surprisingly, if code is run from an untrusted location with that macro setting, the code still runs slowly as the AMSI check still runs!
A better solution is clearly needed. This is what VBA project signing is designed to address.
3. VBA Project Signing Return To Top
From version 2212 onwards, this feature has been available to all Office 365 users on the Current Channel
This Microsoft article Malicious macros were found explicitly states that the AMSI scan does not occur when a file is in a trusted location, or when the
VBA 'macros' are signed with a code signing certificate.
To use the new feature with apps that you distribute, you will first need to purchase a code signing certificate from a reputable supplier such as Verisign or Sectigo.
NOTE:
Code signing certificates are expensive to purchase and are only made available to those certified as reputable developers.
You will therefore need to go through a series of security checks before the certificate is issued.
From personal experience, it may take several weeks for validation checks to be completed, at least on the first occasion.
Once the certificate is issued, it can only be applied on the workstation where it was installed . . . so choose carefully
However, purchased certificates remain valid when your apps are run from other workstations e.g. on clients' machines
However, even if you do not have a valid certificate, you can still test the new code signing feature by creating a self certificate.
Self certificates are for test purposes ONLY. They are only valid on the machine where they were created. They are of no use when distributing apps to clients
To do so, you need to run the SELFCERT.exe application. This is located in your Office folder:
Run the SELFCERT app, enter a name for your test certificate and click OK
You should then see a message that your self certificate has been successfully created
NOTE: Signed projects are intended for use with Macro Setting 3 - disable all except digitally signed macros
You should change to that setting now before code signing your project
Now move your app to an untrusted location. The code will NOT run as it has not been signed. There is NO warning message with this setting
You can now move your app back to a trusted location.
Next you need to apply the certificate (purchased or self-cert) to your Access application. This only takes a few seconds to do.
Open the Visual Basic Editor (VBE) and click Tools then Digital Signature
The Digital Signature window opens. If you have a valid certificate, it will be shown under Sign As. Click the Choose button
The Windows Security window opens with your certificate details
If you have more than one valid certificate, click More Choices to see all your certificates
Purchased certificates appear at the top with self certificates below
Select a certificate and click OK
The Digital Signature window re-appears showing the project has been signed
NOTE:
a) When a signed project is downloaded from a website or email, it is automatically trusted. You will not need to unblock the file to remove the 'mark of the web'
b) When a signed ACCDB project is saved as an ACCDE file, this will invalidate the signature as the file structure has been changed
This warning message will be displayed:
Make sure you sign the ACCDE file before distributing it to end users!
c) If you have an older version of Access or are on one of the Office 365 Enterprise channels (Monthly or Semi-Annual), you will instead see this message
(until the feature is released more widely in the near future)
Now close your project without making any changes to the code or it will invalidate the digital signature!
Do NOT click the Save button in the VBE or it will also disable the signature
d) When code changes are made in a signed project, Access checks whether the code signing certificate is available on that workstation.
If so, it will automatically reinstate the digital signature.
However, any code changes made on a different workstation will invalidate the digital signature.
You are now ready to test your signed project
4. Testing Your Signed Project Return To Top
First run the app from the trusted location. It runs as normal
Now move the app back to an untrusted location.
The first time you use your certificate, the Enable Content security banner will again appear.
Click on the text to the left of the Enable Content button then click on the Enable Content dropdown.
Select Advanced Options and click Always trust content from this publisher
NOTE:
a) With an unsigned project, the final option isn't available
b) Once you have trusted the publisher, it will appear in the list of Trusted Publishers in the Trust Center
c) When a client runs one of your signed applications for the first time, a message similar to this will be displayed:
Clicking the Trust all from publisher button will allow all signed apps from that publisher to run without further issues
Code can now be run successfully and end users should find no measurable speed difference compared to running it from a trusted location
These are the results I obtained with the example app:
Trusted Location
Untrusted Location
The VBA Project signing feature has been designed so that any changes to code or certain database elements will invalidate the digital signature.
This isn't an issue for the application developer. If the certificate is available on the development machine it will automatically be re-applied as explained above
However, the outcome is different for end users who will not have the certificate on their machine.
Test the effect by moving your application to a different workstation or a virtual machine running Access 365 version 2212 or later.
Now make a small code change e.g. add a blank line or a comment and click Save in the VBE
This results in a warning message being displayed in the status bar:
Modifications to the database or project have invalidated the associated digital signature.
In addition, just before you close the app, this warning message appears
The next time you reopen the app, the Enable Content security banner re-appears
Similar behaviour occurs if users make changes to the design of action queries as that may affect the data integrity.
The idea is end users cannot modify a signed database by, for example, replacing a select query with a delete query that deletes things it shouldn’t, then pass on the
database with the signature intact.
As a result, changing the DESIGN of action queries will invalidate the signature preventing code running.
This feature therefore addresses one important security issue with both ACCDB and ACCDE files that I wrote about in my earlier article:
Adding Security to Access Databases - A Wish List
NOTE:
a) End users will of course still be able to RUN action queries included in the signed database by the developer without invalidating the certificate
b) When I tested the feature by modifying an update query, I didn't see any warnings that this would invalidate the signature.
When I next opened the database, there were no security warnings but the code no longer ran.
Whilst this feature does work as intended, in my opinion, end users won't understand why the database that was running fine previously is no longer working.
The effect of all this additional security means that after making code changes or changes to action queries, you will need to re-apply the certificate before the
updated app is distributed to end users
Finally, if you change Macro Settings whilst in an untrusted location, you may see this Blocked Content security banner instead:
Clicking the Learn More button opens this help article:
Trusted document settings have changed
5. Download Return To Top
Click to download the example app which you can use for testing. Two versions are available - UNSIGNED and SIGNED
Code Signing Test Database - UNSIGNED Approx 1.8 MB (zipped)
Code Signing Test Database - SIGNED Approx 1.8 MB (zipped) - see note below
NOTE:
a) The SIGNED version of the project will automaticaally be TRUSTED when it is downloaded
However the UNSIGNED version will need to be UNBLOCKED to remove the 'mark of the web'.
For more details, see my article:
Unblock downloaded files by removing the Mark of the Web
b) The code signing certificate supplied with the SIGNED version will have no effect in older Access versions or if you are still on an earlier version of the
Semi-Annual Office 365 Enterprise channel prior to version 2212. In such cases, Access will report both apps as having no certificate
c) Code signing certificates are NOT transferable to another developer. You will NOT be able to apply my code certificate to your own applications.
6. YouTube Video Return To Top
I have created a YouTube video for my Isladogs on Access channel demonstrating the use of the new VBA Project Signing feature.
This is now available at: https://youtu.be/c5rnlcafBjM or you can click below:
If you subscribe to my Isladogs on Access channel on YouTube, you will be notified whenever new videos are released.
7. Summary Return To Top
The new VBA project signing feature adds additional functionality for those who need it, but it is significantly more complex to use . . . at least initially.
Other methods of trusting code such as trusted locations will continue to work and may remain the preferred solution for many developers.
Here is a brief summary of the different approaches available to developers and end users:
Enable Content
• Allows code to run for the current session only. The button will need to be clicked each time the app is run
• Easy to implement. No protection against changes made by unauthorised users.
Trusted Document
• Allows code to run each time the app is opened but the AMSI scan will run causing code to run more slowly
• Easy to implement
• Code still runs even if changes have been made. No protection against changes made by unauthorised users.
Trusted Location
• Allows code to run each time the app is opened from that location. The AMSI scan will not run so code runs faster
• Easy to implement
• Code still runs even if changes have been made. No protection against changes made by unauthorised users.
VBA project signing
• Expensive. Code signing certificate must be purchased
• More complex to implement
• The signature is invalidated if any changes are made to the code or certain objects such as action queries so the code cannot run
• Does not work in older versions of Access where code certificates are not available
UPDATE 14 Dec 2022
The second page of this article will be used to follow up any questions arising from this article or the YouTube presentation
8. Related Article Return To Top
Is Location Trusted . . . and does it matter?
9. Acknowledgements Return To Top
Many thanks to Sachin Arunkumar for all his hard work in developing this new feature for the Access team.
Also thanks to both Sachin and Shane Groff for responding so promptly to my questions and feedback about the VBA project signing feature. Much appreciated.
10. Feedback Return To Top
Please use the contact form below to let me know whether you found this article useful or if you have any questions.
Do let me know if there are any errors or omissions
Please also consider making a donation towards the costs of maintaining this website. Thank you
Colin Riddington Mendip Data Systems Last Updated 5 Dec 2023
Return to Access Articles Page
Page 1 of 2
1
2
Return to Top
|
|
|