Excel – Sign a macro with a code-signing certificate on a Yubikey Smartcard

This article explains how to sign an Excel macro using a code-signing certificate on a Yubikey Smartcard. However, a code-signing certificate in the local certificate store of the operating system would also work.

My organization implements security baselines which prevent our users from executing un-signed code, which includes Excel macros. When needed, we have had to sign these macros for our users so that they are able to execute them on their workstations.

Warning

Only sign code (including Excel macros) that you absolutely trust OR that you have vetted yourself. Depending on your organization’s security posture, signing code that has not been properly tested or code that an end user ‘downloaded from the internet’ could wind up as a major breach for your organization. Always think through the impact of signing code with a code-signing certificate trusted by your organization before signing anything.

Context

  • Windows 10 1903
  • Excel 2016
  • Yubikey 5 NFC

Signing the Macro

These instructions assume a valid code signing certificate has already been requested and loaded onto a Yubikey smartcard. I plan on eventually writing an article on how to request and load a code-signing certificate onto a smartcard and will link to it here.

Open the Excel spreadsheet with the macro that needs to be signed. If you have not already, enable Developer mode in Excel.

  1. File
  2. Options
  3. Customize Ribbon –> Check the ‘Developer’ box
  4. Click Ok to exit out of Excel Options
  5. Click the new ‘Developer’ tab –> Visual Basic
  6. In the new window that appears, click Tools –> Digital Signature…
  7. If the macro has not been signed before, the window should look like below:
  8. Under ‘Sign as’, click ‘Choose..’
  9. If a valid code-signing certificate exists on your smartcard or in the operating system’s certificate store, Excel should find it:
  10. In my case, my certificate is located on my smartcard, and a PIN is required to access it’s private key, so I am prompted to enter the PIN:
  11. Click Ok, and the ‘Digital Signature’ window should be populated with the ‘Certificate Name’ of your code-signing certificate.
  12. Save the Excel document and test executing the macro.