This quote was taken from an answer to another question about Excel Security settings. The answer proposed using a digital certificate to sign macros to resolve the security issue. Towards the end of the answer, it was noted that: "When you digitally sign macros, it is important to obtain a time stamp. . ."

This is tricky in Office 2013, for a variety of reasons. First, there are two different ways to attach a signature to a spreadsheet. They are known as visible and invisible signatures. The visible signatures can be applied to the whole document using the File > Protect Workbook > Add a digital signature commands. To apply an invisible one to the VBA code alone, from the VBA editor, use the Tools > Digital Signature commands then Choose a certificate to sign with.

It would be preferable to simply protect the VBA code and not the entire spreadsheet, because as soon as you run the macro, the code writes its output into the spreadsheet, and since it's a protected workbook, the code errors out and comes to a halt. This workbook was designed as a demonstration and was saved with a read only recommendation and requires a password to modify it. We want the user to be able to have the macro write to the spreadsheet, but not to save the file with changes under the same name. Since applying a digital signature to the VBA only protects the VBA, when it writes to the spreadsheet, there is no error.

The problem is obtaining a timestamp on the certificate protecting the VBA.

There are a bewildering array of registry and group policy settings that affect timestamping, and it's quite unclear which settings are required to obtain a sha256 timestamp on my sha256 certificate when used to only protect the VBA. I've tried everything available that looks as though it could affect timestamping without joy.

While I've been able to sign spreadsheets and get that signature timestamped using the newer Office XAdES counter signature, the certificate used to sign the VBA project is not timestamped itself.

Entries it the following registry key are required: HKCU\Software\Microsoft\Office\15.0\Common\Signatures

I believe the following values in the key only affect timestamping the whole workbook XAdES signature.

MinXAdESLevel DWORD 2 TSALocation http://timestamp.comodoca.com/rfc3161 XAdESLevel DWORD 5

From experimenting, I have found that it was possible to get the cert protecting the VBA countersigned with a timestamp by using the following registry entries:

HKCU\Software\Microsoft\VBA\Security: TimeStampURL http://timestamp.comodoca.com/rfc3161 TimeStampRetryCount DWORD 2 TimeStampRetryDelay DWORD 5

Unfortunately, I was only able to obtain a SHA1 timestamp when doing it this way. Soon, that will be like having no timestamp at all on Windows 10.

Does anyone know how to get a SHA256 timestamp in this situation?

By default, Office does not use a timestamping service when signing or validating code. Using a timestamping service usually takes more time than the default digital signing process. To use a timestamping service, Office needs to communicate with a certificate authority s timestamp server over the Internet to complete the action. You cannot timestamp a digital signature unless you are connected to the Internet.

There is no built-in Office user interface to use this option. To have Office use a timestamping service with all future digital signatures, you need to set these registry keys. The values should be entered under ONE key. Please use the following instructions:

Create a Security key at the VBA level: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security Add a String value Item to the Security key named TimeStampURL with the value set to the time stamp URL below.

The SHA-1 timestamping URL is timestamp.verisign.com/scripts/timstamp.dll The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp

Add a DWORD value item to the Security key named TimeStampRetryCount with the value data set to '3' (In my case I used 3 but you can pick a different number) Add a DWORD value item to the Security key named TimeStampRetryDelay with the value data set to '3' (In my case I used 3 but you can pick a different number). To reduce the likelihood that a malicious user can derive a digital certificate's private key from its public key, a commercially obtained digital certificate expires after one year. Office will not allow you to use an expired certificate to sign macros, and will also warn the end user when a digital signature for a file has expired. The end user will see a warning in the usual Digital Signature security warning, which indicates that the certificate is no longer trustworthy. The user can determine if the certificate has expired by looking in the Details dialog box for the certificate.

To prevent you from having to resign your software and Visual Basic for Applications projects every time your certificate expires, some commercial certificate authorities provide a timestamping service. If you use a timestamping service when signing code, a hash of your code is sent to a server to record a timestamp for your code. When using a timestamping service, a user's software can distinguish between code signed with an expired certificate that should not be trusted, and code that was signed with a certificate that was valid at the time the code was signed, but which has subsequently expired.