OFF2000: Cannot Verify the Digital Signature of a Document That Contains a Macro (816895)


The information in this article applies to:

  • Microsoft Office 2000

SYMPTOMS

When you try to open a signed document that contains a Visual Basic for Applications (VBA) macro, you may not be able to verify the digital signature.

CAUSE

Office 2000 cannot construct a certificate chain to the trusted certification authority (CA) while it verifies a signed VBA macro. This problem occurs because the intermediate code-signing CA is not present in the certificate store. However, if you manually install the code-signing intermediate CA into the intermediate certificate store on the Office 2000 client computer, the certificate chain verification to a trusted root succeeds.

The existing VBA code-signing root CA (VeriSign Commercial Software Publishers CA) expires on January 7, 2004. This expiring CA will be rolled over to a new code-signing Root CA (a new version of Class 3 Public Primary Certification Authority that expires in 2028) and a new code-signing intermediate CA (that expires in 2011) at the end of October, 2002. No new certificates will be issued off the old CA after the end of October 2002. All code-signing replacements for certificates off the old CA will still be signed by the old CA. Replacement certificates will expire before the old CA expires. In the certificate world, children certificates never outlive the parent certificates.

The migration from the old code-signing CA to the new code-signing CA must be seamless to developers who sign their code, and the end-users of the signed code, with some exceptions and workarounds as detailed in this article. The exceptions are on the client side, to the end-users that use signed code, only because of the introduction of an intermediate CA.

WORKAROUND

To work around this problem, the code-signing intermediate CA must be present on each client system for Office to correctly verify a signed VBA project. After the new code-signing intermediate CA is imported into the intermediate certificate store of a system, the certificate chain verification to a trusted root succeeds.

Note The following steps are specific to importing a new VeriSign code-signing intermediate CA. The steps to import your new CA may be different.
  1. In your Web browser, visit the following VeriSign Web site, and then download the new code-signing intermediate CA:

    http://www.verisign.com/support/signing/intermediate.html

  2. Import the new code-signing intermediate CA:
    1. Double-click the file you downloaded.
    2. In the Certificate dialog box, click Install Certificate on the General tab.
    3. In the Certificate Import Wizard, click Next.
    4. Click Automatically select the certificate store based on the type of certificate, and then click Next.
    5. Click Finish to close the Certificate Import Wizard.
    6. When you receive the following message, click OK:The import was successful.
  3. Click OK to close the Certificate dialog box.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem has been fixed in Microsoft Office XP, where the signature verification of a signed package occurs from the certificate chain that is embedded in the digital signature instead of the certificate store on the client computer.
Modification Type:MinorLast Reviewed:5/30/2003
Keywords:kbprb kbpending kbbug kbfix KB816895
©2002 Microsoft Corporation. All rights reserved.