Certificate signing issues (1 Viewer)

[JamesR]

Hi Folks,

I posted previously about my companies policy to ban all macros/VBA

Anyway the current solution was to issue a certificate to myself so I can sign the VBA code and the database should work as normal.
The database was stored on a file share and each user took a copy and ran it locally on their own machine. When I issued a new release of the DB they would grab that and work away
This worked briefly, I would sign the VBA and when a user started up the database they clicked on the "enable content button" and everything worked.
Now instead of the enable content options they get a warning saying that active content was disabled and to click here for details.
The message shows the certificate details and says that it has been tampered with and can't be trusted.

Any ideas why access gices this error when a file is moved or copied, I think this it all started when a windows 10 update was installed in mid to late February

TIA

 

[Ranman256]

set TRUSTED LOCATION on that pc and the enable button will not open again.

 

[JamesR]

I wish it was that easy, trusted locations is disabled by the group IT policy.

The main thing is why does access think the certs have been tampered with, I have attached a copy of the error

 

[theDBguy]

I wish it was that easy, trusted locations is disabled by the group IT policy.

The main thing is why does access think the certs have been tampered with, I have attached a copy of the error

Hi. I think the answer is simple, Access does not recognize the certificate authority (CA) of your "personal" signature. I think only "published" certificates are automatically trusted. And I think to be published, you'll have to be a "commercial" entity.

 

[JamesR]

It does seem like a cert issue but the certs are issued by the IT security, it's not a personal one, so you would like to think that they would work
Once signed the file works but move the file or copy it and the error is thrown up

 

[GPGeorge]

It does seem like a cert issue but the certs are issued by the IT security, it's not a personal one, so you would like to think that they would work
Once signed the file works but move the file or copy it and the error is thrown up

IT bans the basic tools you need to use Access (VBA and macros). Then they break certificates. And they also disable Trusted Locations for Access.

I'm sensing a pattern here, aren't you?

TheDBGuy is right, though. Self-signed certs aren't very effective, unfortunately.

I might be spending some time polishing up the old resumé if I were looking at that pattern.

 

[isladogs]

Suggest you read this article about VBA code signing by Philipp Stiefel:

How to sign VBA code in an Access .accdb database

How to digitally sign Access .accdb databases and the surpising revelation why it is pointless anyway.

codekabinett.com

 

[KitaYama]

IT bans the basic tools you need to use Access (VBA and macros). Then they break certificates. And they also disable Trusted Locations for Access.

During my three months of stay here I have seen so many posts against IT teams. Seems that Access developers don't like seeing them around.
I think everybody has forgotten they have a job to do too. They are responsible for the organization security. Removing the trusted location is inconvenient for the user and makes them clicking a button to activate a database codes, but it's a huge step for protecting the organization to stop running unwanted scripts.

 

[JamesR]

Suggest you read this article about VBA code signing by Philipp Stiefel:

How to sign VBA code in an Access .accdb database

How to digitally sign Access .accdb databases and the surpising revelation why it is pointless anyway.

codekabinett.com

Thanks I'll give that a read
My file is a .mdb so might be a little different

 

[GPGeorge]

During my three months of stay here I have seen so many posts against IT teams. Seems that Access developers don't like seeing them around.
I think everybody has forgotten they have a job to do too. They are responsible for the organization security. Removing the trusted location is inconvenient for the user and makes them clicking a button to activate a database codes, but it's a huge step for protecting the organization to stop running unwanted scripts.

I guess that's true, IT is responsible for security. And that means they have the power to make users' lives easier or harder. I've worked with IT groups that went out of their way to be helpful, and I've been exposed to IT groups that considered it their mission to make Access as hard to use as possible.

 

[Galaxiom]

Hi. I think the answer is simple, Access does not recognize the certificate authority (CA) of your "personal" signature. I think only "published" certificates are automatically trusted. And I think to be published, you'll have to be a "commercial" entity.

No need for a commercial entity to issue the certificate. The certificate just needs to be issued by the domain's Certificate Authority. IT department would then distribute the certificate as a Trusted Publisher in Group Policy and Office should not even ask about signed apps the first time.

The user applies for a certificate using Internet Explorer at an address something like https://domainname/certsrv but it can vary depending on how they have set up the domain. It can also be https://CertificateAuthorityComputerName/certsrv

 

[Galaxiom]

Suggest you read this article about VBA code signing by Philipp Stiefel:

How to sign VBA code in an Access .accdb database

How to digitally sign Access .accdb databases and the surpising revelation why it is pointless anyway.

codekabinett.com

I have still been distributing mde front ends because of the limitation described in the article. However I read recently that the ability to sign the database was reintroduced, in Access 2013 I think. However I have not tested this yet.

BTW The signing is ostensibly the VBA code but a change to a query will also trigger the invalid message. I have some queries where I alter a pass though query with code to change the arguments in a function. I have to change them back before closing or the signature is invalidated. (The other alternative of course is to distribute a new copy of the database on every opening.)

 

[Galaxiom]

It does seem like a cert issue but the certs are issued by the IT security, it's not a personal one, so you would like to think that they would work
Once signed the file works but move the file or copy it and the error is thrown up

It is possible that IT has set up a software execution policy that includes the path. Usually this would relate to exe and dll but it might affect Access due to the code in it, depending on the product they are using to enforce it.

 

[Galaxiom]

I think this it all started when a windows 10 update was installed in mid to late February

Interesting. I've just started having problems with signed mde saying the signature is invalid. The error looks a bit different but I think it is essentially the same issue.

Even more odd, Access 2010 on the Windows 10 computer I do the signing on stopped recognising the presence of the certificate even though it was definitely in my store. I reinstalled the certificate and now it says there is a problem with it and the signature will be deleted.

This started this week while we have been setting up new servers and planning to migrate to Office 365, which has been "fun" too. Maybe my problem something to do with using Access 2010. I have not signed anything in Access for a while.

 

[Galaxiom]

I fixed my signing problems today. Signatures on mde by Access 2010 are problems. Access 2010 on Windows 10 cannot sign at all. Resigned with Access 2013 and now fine even running on 2010 runtime on old servers.

We had Access Runtime 2010 and 365 x86 on Server 22 and certificate problems trying to run on either even with the 2013 signing of the 2010 created mde.

We originally had full Access 365 because it came with Business Pro but had permissions set to stop users having Access. (We deny users the ability to develop in Access for reasons most actual developers would understand.) The Runtime 2010 was for the users. It was installed by the guy setting it up the servers because that was how it was set up on the old servers.

Replaced 2010 with 2013 and it worked on both. Then we discovered how to just have Access Runtime for 365 Business Pro. Took 2013 off entirel and just use the 365 runtime.

BTW. As far as the system is concerned, Office 365 is Office 16.0 which is Office 2016.

 

[isladogs]

All versions of Access starting with 2016 and including 2019, 2021 and 365 are version 16.0.
According to a member of the Access team, the C2R versions all have fundamentally the same code base.
However, different features may be switched on/off depending on the licence purchased.

This has obvious advantages for MS but it also means as a customer that you don't need to reinstall if you change from say 2016 to 2021 or 365.
Just enter the new licence details and it should update automatically