I bought a Comodo code signing certificate thinking it would rid me of
Microsoft's security message mess once and for all. It seems that in Access
2007 the certificate only applies to the intermediate file (.accdc) created
by the package and sign feature and not the actual database (.accdb) that
gets extracted from the accdc file.

When users open the accdc file, they get a chance to accept the certificate
but once the accdb file is extracted behavior returns to the usual flurry of
useless security messages. In other words, it seems like the database is
signed only for as long as its in the 'wrapper' (the accdc file) and its no
longer signed once its extracted.

Am I missing something?

Lots of folks are unhappy with code signing certificates for different
reasons. Rather than try to diagnose the problem you can work around it by
building a trusted location:

http://office.microsoft.com/en-us/ac...319991033.aspx
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.accessmvp.com
http://www.mvps.org/access


"dbguyatlanta" <(E-Mail Removed)> wrote in message
news:EBB84985-0E3F-4F3E-91EC-(E-Mail Removed)...
>I bought a Comodo code signing certificate thinking it would rid me of
> Microsoft's security message mess once and for all. It seems that in
> Access
> 2007 the certificate only applies to the intermediate file (.accdc)
> created
> by the package and sign feature and not the actual database (.accdb) that
> gets extracted from the accdc file.
>
> When users open the accdc file, they get a chance to accept the
> certificate
> but once the accdb file is extracted behavior returns to the usual flurry
> of
> useless security messages. In other words, it seems like the database is
> signed only for as long as its in the 'wrapper' (the accdc file) and its
> no
> longer signed once its extracted.
>
> Am I missing something?

Thanks for taking the time to respond. The information in your link does work
for a certain user situation but there are many user situations involving the
Access 2007 runtime where the trust center is not an option. And sure, there
are yet other ways to manually disable the security warning mess Microsoft
has implemented but they all involve some analysis of the user's situation
(version of Office installed, the user's ability to edit the registry, etc.).
I was hoping to avoid all this.

The whole point of paying for my code signing certificate (I thought) was to
get rid of Microsoft's security warning mess entirely. It appears to me the
code signing certificate does accomplish this goal in Excel 2007. In Access
2007 however, the code signing feature seems to be a slapdash feature thrown
in at the last minute so they can claim that we have not gone backwards once
again as we did with the ribbon (offering no tools to easily create custom
ribbons or at least maintain existing tool/menu bars).

Again, if I've missed something and Access 2007 really can handle code
signing the same as Excel 2007 or Access 2003, I would greatly appreciate
info on how to sign the actual database, not just the accdc file.

Thanks

"Arvin Meyer [MVP]" wrote:

> Lots of folks are unhappy with code signing certificates for different
> reasons. Rather than try to diagnose the problem you can work around it by
> building a trusted location:
>
> http://office.microsoft.com/en-us/ac...319991033.aspx
> --
> Arvin Meyer, MCP, MVP
> http://www.datastrat.com
> http://www.accessmvp.com
> http://www.mvps.org/access
>
>
> "dbguyatlanta" <(E-Mail Removed)> wrote in message
> news:EBB84985-0E3F-4F3E-91EC-(E-Mail Removed)...
> >I bought a Comodo code signing certificate thinking it would rid me of
> > Microsoft's security message mess once and for all. It seems that in
> > Access
> > 2007 the certificate only applies to the intermediate file (.accdc)
> > created
> > by the package and sign feature and not the actual database (.accdb) that
> > gets extracted from the accdc file.
> >
> > When users open the accdc file, they get a chance to accept the
> > certificate
> > but once the accdb file is extracted behavior returns to the usual flurry
> > of
> > useless security messages. In other words, it seems like the database is
> > signed only for as long as its in the 'wrapper' (the accdc file) and its
> > no
> > longer signed once its extracted.
> >
> > Am I missing something?
>
>
> .
>

On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
<(E-Mail Removed)> wrote:

The way I read this article:
http://office.microsoft.com/en-us/ac...0471033.aspx#3
that is by design: the purpose seems to be to build a setup program
you can trust (note how the article is talking about a "signed
package"), not to build an app you can trust.

Did you try this: Code window > Tools > Digital Signature to sign the
VBA project?

-Tom.
Microsoft Access MVP


>I bought a Comodo code signing certificate thinking it would rid me of
>Microsoft's security message mess once and for all. It seems that in Access
>2007 the certificate only applies to the intermediate file (.accdc) created
>by the package and sign feature and not the actual database (.accdb) that
>gets extracted from the accdc file.
>
>When users open the accdc file, they get a chance to accept the certificate
>but once the accdb file is extracted behavior returns to the usual flurry of
>useless security messages. In other words, it seems like the database is
>signed only for as long as its in the 'wrapper' (the accdc file) and its no
>longer signed once its extracted.
>
>Am I missing something?

> The way I read this article:
> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> that is by design: the purpose seems to be to build a setup program
> you can trust (note how the article is talking about a "signed
> package"), not to build an app you can trust.

Yes, that's exactly my understanding and all I would add is they have
removed the ability to sign code in the same way as the other 2007 apps do it
and previous versions of Office. Instead of really signing code, all they are
doing (essentially) in Access 2007 is signing a zip file (the accdc file)
that contains the database. Once the database is delivered and extracted from
the accdc file you no longer have a code signed file and you are subjected to
all of the usual security warnings unless you have prepared for the file with
trusted locations or other workarounds. And those workarounds are what one is
trying to avoid in the first place by purchasing a code signing certificate.
I suppose somebody that is offering Access databases for download off a
website might find the package and sign feature of minor interest but wow,
this is no step forward, lots of vendors offer better, more sophisticated web
delivery tools. In other words, in this instance Microsoft took away
something useful and replaced it with something of little value. The vast
majority of us doing Access development work don't need the package and sign
feature and those that need signed delivery/installation files are probably
all ready using better alternatives. What we need is the ability to sign the
database customers actually open and run to rid us of all the security
warning mess.

> Did you try this: Code window > Tools > Digital Signature to sign the
> VBA project?

Yes, its where I started actually, and this feature is interesting. They
sort of pretend it's going to do something, wasting your time as you choose
the certificate and go through the motions. Then at the last minute they
issue an error message saying that for various possible reasons the file
can't be signed. They specifically say in the error message that accdb and
accde files must use the package and sign feature, so when would this feature
ever be used???. I believe that in truth there is no scenario where the
Digital Signature feature on the VB editor toolbar ever works in 2007. You
can only use the Package and Sign feature. Unless I've missed something, this
feature seems kind of dishonest, or maybe meant to satisify some mindless
consistency with the VB editors in other Office 2007 products that actually
can sign code.


"Tom van Stiphout" wrote:

> On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
> <(E-Mail Removed)> wrote:
>
> The way I read this article:
> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> that is by design: the purpose seems to be to build a setup program
> you can trust (note how the article is talking about a "signed
> package"), not to build an app you can trust.
>
> Did you try this: Code window > Tools > Digital Signature to sign the
> VBA project?
>
> -Tom.
> Microsoft Access MVP
>
>
> >I bought a Comodo code signing certificate thinking it would rid me of
> >Microsoft's security message mess once and for all. It seems that in Access
> >2007 the certificate only applies to the intermediate file (.accdc) created
> >by the package and sign feature and not the actual database (.accdb) that
> >gets extracted from the accdc file.
> >
> >When users open the accdc file, they get a chance to accept the certificate
> >but once the accdb file is extracted behavior returns to the usual flurry of
> >useless security messages. In other words, it seems like the database is
> >signed only for as long as its in the 'wrapper' (the accdc file) and its no
> >longer signed once its extracted.
> >
> >Am I missing something?
> .
>

Have you tried signing the database first, then creating your install
package and signing that too?
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.accessmvp.com
http://www.mvps.org/access


"dbguyatlanta" <(E-Mail Removed)> wrote in message
news:E0E3CF42-4654-4E05-AE30-(E-Mail Removed)...
>> The way I read this article:
>> http://office.microsoft.com/en-us/ac...0471033.aspx#3
>> that is by design: the purpose seems to be to build a setup program
>> you can trust (note how the article is talking about a "signed
>> package"), not to build an app you can trust.
>
> Yes, that's exactly my understanding and all I would add is they have
> removed the ability to sign code in the same way as the other 2007 apps do
> it
> and previous versions of Office. Instead of really signing code, all they
> are
> doing (essentially) in Access 2007 is signing a zip file (the accdc file)
> that contains the database. Once the database is delivered and extracted
> from
> the accdc file you no longer have a code signed file and you are subjected
> to
> all of the usual security warnings unless you have prepared for the file
> with
> trusted locations or other workarounds. And those workarounds are what one
> is
> trying to avoid in the first place by purchasing a code signing
> certificate.
> I suppose somebody that is offering Access databases for download off a
> website might find the package and sign feature of minor interest but wow,
> this is no step forward, lots of vendors offer better, more sophisticated
> web
> delivery tools. In other words, in this instance Microsoft took away
> something useful and replaced it with something of little value. The vast
> majority of us doing Access development work don't need the package and
> sign
> feature and those that need signed delivery/installation files are
> probably
> all ready using better alternatives. What we need is the ability to sign
> the
> database customers actually open and run to rid us of all the security
> warning mess.
>
>> Did you try this: Code window > Tools > Digital Signature to sign the
>> VBA project?
>
> Yes, its where I started actually, and this feature is interesting. They
> sort of pretend it's going to do something, wasting your time as you
> choose
> the certificate and go through the motions. Then at the last minute they
> issue an error message saying that for various possible reasons the file
> can't be signed. They specifically say in the error message that accdb and
> accde files must use the package and sign feature, so when would this
> feature
> ever be used???. I believe that in truth there is no scenario where the
> Digital Signature feature on the VB editor toolbar ever works in 2007. You
> can only use the Package and Sign feature. Unless I've missed something,
> this
> feature seems kind of dishonest, or maybe meant to satisify some mindless
> consistency with the VB editors in other Office 2007 products that
> actually
> can sign code.
>
>
> "Tom van Stiphout" wrote:
>
>> On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
>> <(E-Mail Removed)> wrote:
>>
>> The way I read this article:
>> http://office.microsoft.com/en-us/ac...0471033.aspx#3
>> that is by design: the purpose seems to be to build a setup program
>> you can trust (note how the article is talking about a "signed
>> package"), not to build an app you can trust.
>>
>> Did you try this: Code window > Tools > Digital Signature to sign the
>> VBA project?
>>
>> -Tom.
>> Microsoft Access MVP
>>
>>
>> >I bought a Comodo code signing certificate thinking it would rid me of
>> >Microsoft's security message mess once and for all. It seems that in
>> >Access
>> >2007 the certificate only applies to the intermediate file (.accdc)
>> >created
>> >by the package and sign feature and not the actual database (.accdb)
>> >that
>> >gets extracted from the accdc file.
>> >
>> >When users open the accdc file, they get a chance to accept the
>> >certificate
>> >but once the accdb file is extracted behavior returns to the usual
>> >flurry of
>> >useless security messages. In other words, it seems like the database is
>> >signed only for as long as its in the 'wrapper' (the accdc file) and its
>> >no
>> >longer signed once its extracted.
>> >
>> >Am I missing something?
>> .
>>

"Arvin Meyer [MVP]" wrote:

> Have you tried signing the database first, then creating your install
> package and signing that too?
> --

Yes, that's what got this thread started. Menu option Tools>Digital
Signature in the Access 2007 Visual Basic editor pretends like it is going to
work. You can select a certificate and so forth but at the last step Access
displays an error message saying that you cannot actually use this feature to
sign code in accdb and accde files, you have to use the package and sign
feature instead.






> Arvin Meyer, MCP, MVP
> http://www.datastrat.com
> http://www.accessmvp.com
> http://www.mvps.org/access
>
>
> "dbguyatlanta" <(E-Mail Removed)> wrote in message
> news:E0E3CF42-4654-4E05-AE30-(E-Mail Removed)...
> >> The way I read this article:
> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> >> that is by design: the purpose seems to be to build a setup program
> >> you can trust (note how the article is talking about a "signed
> >> package"), not to build an app you can trust.
> >
> > Yes, that's exactly my understanding and all I would add is they have
> > removed the ability to sign code in the same way as the other 2007 apps do
> > it
> > and previous versions of Office. Instead of really signing code, all they
> > are
> > doing (essentially) in Access 2007 is signing a zip file (the accdc file)
> > that contains the database. Once the database is delivered and extracted
> > from
> > the accdc file you no longer have a code signed file and you are subjected
> > to
> > all of the usual security warnings unless you have prepared for the file
> > with
> > trusted locations or other workarounds. And those workarounds are what one
> > is
> > trying to avoid in the first place by purchasing a code signing
> > certificate.
> > I suppose somebody that is offering Access databases for download off a
> > website might find the package and sign feature of minor interest but wow,
> > this is no step forward, lots of vendors offer better, more sophisticated
> > web
> > delivery tools. In other words, in this instance Microsoft took away
> > something useful and replaced it with something of little value. The vast
> > majority of us doing Access development work don't need the package and
> > sign
> > feature and those that need signed delivery/installation files are
> > probably
> > all ready using better alternatives. What we need is the ability to sign
> > the
> > database customers actually open and run to rid us of all the security
> > warning mess.
> >
> >> Did you try this: Code window > Tools > Digital Signature to sign the
> >> VBA project?
> >
> > Yes, its where I started actually, and this feature is interesting. They
> > sort of pretend it's going to do something, wasting your time as you
> > choose
> > the certificate and go through the motions. Then at the last minute they
> > issue an error message saying that for various possible reasons the file
> > can't be signed. They specifically say in the error message that accdb and
> > accde files must use the package and sign feature, so when would this
> > feature
> > ever be used???. I believe that in truth there is no scenario where the
> > Digital Signature feature on the VB editor toolbar ever works in 2007. You
> > can only use the Package and Sign feature. Unless I've missed something,
> > this
> > feature seems kind of dishonest, or maybe meant to satisify some mindless
> > consistency with the VB editors in other Office 2007 products that
> > actually
> > can sign code.
> >
> >
> > "Tom van Stiphout" wrote:
> >
> >> On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
> >> <(E-Mail Removed)> wrote:
> >>
> >> The way I read this article:
> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> >> that is by design: the purpose seems to be to build a setup program
> >> you can trust (note how the article is talking about a "signed
> >> package"), not to build an app you can trust.
> >>
> >> Did you try this: Code window > Tools > Digital Signature to sign the
> >> VBA project?
> >>
> >> -Tom.
> >> Microsoft Access MVP
> >>
> >>
> >> >I bought a Comodo code signing certificate thinking it would rid me of
> >> >Microsoft's security message mess once and for all. It seems that in
> >> >Access
> >> >2007 the certificate only applies to the intermediate file (.accdc)
> >> >created
> >> >by the package and sign feature and not the actual database (.accdb)
> >> >that
> >> >gets extracted from the accdc file.
> >> >
> >> >When users open the accdc file, they get a chance to accept the
> >> >certificate
> >> >but once the accdb file is extracted behavior returns to the usual
> >> >flurry of
> >> >useless security messages. In other words, it seems like the database is
> >> >signed only for as long as its in the 'wrapper' (the accdc file) and its
> >> >no
> >> >longer signed once its extracted.
> >> >
> >> >Am I missing something?
> >> .
> >>
>
>
> .
>

I'd say that your recourse now is with the certificate issuer. You should be
able to sign an application, that's the purpose of the cerificate in the
first place.
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.accessmvp.com
http://www.mvps.org/access


"dbguyatlanta" <(E-Mail Removed)> wrote in message
news:02714EFE-99AF-4D27-B17C-(E-Mail Removed)...
> "Arvin Meyer [MVP]" wrote:
>
>> Have you tried signing the database first, then creating your install
>> package and signing that too?
>> --
>
> Yes, that's what got this thread started. Menu option Tools>Digital
> Signature in the Access 2007 Visual Basic editor pretends like it is going
> to
> work. You can select a certificate and so forth but at the last step
> Access
> displays an error message saying that you cannot actually use this feature
> to
> sign code in accdb and accde files, you have to use the package and sign
> feature instead.
>
>> Arvin Meyer, MCP, MVP
>> http://www.datastrat.com
>> http://www.accessmvp.com
>> http://www.mvps.org/access
>>
>>
>> "dbguyatlanta" <(E-Mail Removed)> wrote in message
>> news:E0E3CF42-4654-4E05-AE30-(E-Mail Removed)...
>> >> The way I read this article:
>> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
>> >> that is by design: the purpose seems to be to build a setup program
>> >> you can trust (note how the article is talking about a "signed
>> >> package"), not to build an app you can trust.
>> >
>> > Yes, that's exactly my understanding and all I would add is they have
>> > removed the ability to sign code in the same way as the other 2007 apps
>> > do
>> > it
>> > and previous versions of Office. Instead of really signing code, all
>> > they
>> > are
>> > doing (essentially) in Access 2007 is signing a zip file (the accdc
>> > file)
>> > that contains the database. Once the database is delivered and
>> > extracted
>> > from
>> > the accdc file you no longer have a code signed file and you are
>> > subjected
>> > to
>> > all of the usual security warnings unless you have prepared for the
>> > file
>> > with
>> > trusted locations or other workarounds. And those workarounds are what
>> > one
>> > is
>> > trying to avoid in the first place by purchasing a code signing
>> > certificate.
>> > I suppose somebody that is offering Access databases for download off a
>> > website might find the package and sign feature of minor interest but
>> > wow,
>> > this is no step forward, lots of vendors offer better, more
>> > sophisticated
>> > web
>> > delivery tools. In other words, in this instance Microsoft took away
>> > something useful and replaced it with something of little value. The
>> > vast
>> > majority of us doing Access development work don't need the package and
>> > sign
>> > feature and those that need signed delivery/installation files are
>> > probably
>> > all ready using better alternatives. What we need is the ability to
>> > sign
>> > the
>> > database customers actually open and run to rid us of all the security
>> > warning mess.
>> >
>> >> Did you try this: Code window > Tools > Digital Signature to sign the
>> >> VBA project?
>> >
>> > Yes, its where I started actually, and this feature is interesting.
>> > They
>> > sort of pretend it's going to do something, wasting your time as you
>> > choose
>> > the certificate and go through the motions. Then at the last minute
>> > they
>> > issue an error message saying that for various possible reasons the
>> > file
>> > can't be signed. They specifically say in the error message that accdb
>> > and
>> > accde files must use the package and sign feature, so when would this
>> > feature
>> > ever be used???. I believe that in truth there is no scenario where the
>> > Digital Signature feature on the VB editor toolbar ever works in 2007.
>> > You
>> > can only use the Package and Sign feature. Unless I've missed
>> > something,
>> > this
>> > feature seems kind of dishonest, or maybe meant to satisify some
>> > mindless
>> > consistency with the VB editors in other Office 2007 products that
>> > actually
>> > can sign code.
>> >
>> >
>> > "Tom van Stiphout" wrote:
>> >
>> >> On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
>> >> <(E-Mail Removed)> wrote:
>> >>
>> >> The way I read this article:
>> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
>> >> that is by design: the purpose seems to be to build a setup program
>> >> you can trust (note how the article is talking about a "signed
>> >> package"), not to build an app you can trust.
>> >>
>> >> Did you try this: Code window > Tools > Digital Signature to sign the
>> >> VBA project?
>> >>
>> >> -Tom.
>> >> Microsoft Access MVP
>> >>
>> >>
>> >> >I bought a Comodo code signing certificate thinking it would rid me
>> >> >of
>> >> >Microsoft's security message mess once and for all. It seems that in
>> >> >Access
>> >> >2007 the certificate only applies to the intermediate file (.accdc)
>> >> >created
>> >> >by the package and sign feature and not the actual database (.accdb)
>> >> >that
>> >> >gets extracted from the accdc file.
>> >> >
>> >> >When users open the accdc file, they get a chance to accept the
>> >> >certificate
>> >> >but once the accdb file is extracted behavior returns to the usual
>> >> >flurry of
>> >> >useless security messages. In other words, it seems like the database
>> >> >is
>> >> >signed only for as long as its in the 'wrapper' (the accdc file) and
>> >> >its
>> >> >no
>> >> >longer signed once its extracted.
>> >> >
>> >> >Am I missing something?
>> >> .
>> >>
>>
>>
>> .
>>

"Arvin Meyer [MVP]" wrote:

> I'd say that your recourse now is with the certificate issuer. You should be
> able to sign an application, that's the purpose of the cerificate in the
> first place.

I think you missed a few things. My certificate works fine with the Access
2007 package and sign feature (the problem being this feature is useless),
and it works as expected with the code signing feature in Excel 2007. When I
try to use the Tools>Digital Signature menu option in the Access 2007 VB
editor, it does not complain about the certificate. The error message
displayed states that accdb and accde cannot be signed, we have to use the
package and sign feature instead.

Unless I've missed something or have done something wrong (which is what I
was looking for when I started this thread), the responsible party is
Microsoft not the certificate issuer. Microsoft appears to have yanked the
real code signing feature from Access 2007 and instead offers the nearly
useless package and sign feature ("useless" in the sense that it does not
stop security warning messages when users open your database and other
vendors offer far better tools for web distribution).

Thanks anyway for taking the time to respond.





> --
> Arvin Meyer, MCP, MVP
> http://www.datastrat.com
> http://www.accessmvp.com
> http://www.mvps.org/access
>
>
> "dbguyatlanta" <(E-Mail Removed)> wrote in message
> news:02714EFE-99AF-4D27-B17C-(E-Mail Removed)...
> > "Arvin Meyer [MVP]" wrote:
> >
> >> Have you tried signing the database first, then creating your install
> >> package and signing that too?
> >> --
> >
> > Yes, that's what got this thread started. Menu option Tools>Digital
> > Signature in the Access 2007 Visual Basic editor pretends like it is going
> > to
> > work. You can select a certificate and so forth but at the last step
> > Access
> > displays an error message saying that you cannot actually use this feature
> > to
> > sign code in accdb and accde files, you have to use the package and sign
> > feature instead.
> >
> >> Arvin Meyer, MCP, MVP
> >> http://www.datastrat.com
> >> http://www.accessmvp.com
> >> http://www.mvps.org/access
> >>
> >>
> >> "dbguyatlanta" <(E-Mail Removed)> wrote in message
> >> news:E0E3CF42-4654-4E05-AE30-(E-Mail Removed)...
> >> >> The way I read this article:
> >> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> >> >> that is by design: the purpose seems to be to build a setup program
> >> >> you can trust (note how the article is talking about a "signed
> >> >> package"), not to build an app you can trust.
> >> >
> >> > Yes, that's exactly my understanding and all I would add is they have
> >> > removed the ability to sign code in the same way as the other 2007 apps
> >> > do
> >> > it
> >> > and previous versions of Office. Instead of really signing code, all
> >> > they
> >> > are
> >> > doing (essentially) in Access 2007 is signing a zip file (the accdc
> >> > file)
> >> > that contains the database. Once the database is delivered and
> >> > extracted
> >> > from
> >> > the accdc file you no longer have a code signed file and you are
> >> > subjected
> >> > to
> >> > all of the usual security warnings unless you have prepared for the
> >> > file
> >> > with
> >> > trusted locations or other workarounds. And those workarounds are what
> >> > one
> >> > is
> >> > trying to avoid in the first place by purchasing a code signing
> >> > certificate.
> >> > I suppose somebody that is offering Access databases for download off a
> >> > website might find the package and sign feature of minor interest but
> >> > wow,
> >> > this is no step forward, lots of vendors offer better, more
> >> > sophisticated
> >> > web
> >> > delivery tools. In other words, in this instance Microsoft took away
> >> > something useful and replaced it with something of little value. The
> >> > vast
> >> > majority of us doing Access development work don't need the package and
> >> > sign
> >> > feature and those that need signed delivery/installation files are
> >> > probably
> >> > all ready using better alternatives. What we need is the ability to
> >> > sign
> >> > the
> >> > database customers actually open and run to rid us of all the security
> >> > warning mess.
> >> >
> >> >> Did you try this: Code window > Tools > Digital Signature to sign the
> >> >> VBA project?
> >> >
> >> > Yes, its where I started actually, and this feature is interesting.
> >> > They
> >> > sort of pretend it's going to do something, wasting your time as you
> >> > choose
> >> > the certificate and go through the motions. Then at the last minute
> >> > they
> >> > issue an error message saying that for various possible reasons the
> >> > file
> >> > can't be signed. They specifically say in the error message that accdb
> >> > and
> >> > accde files must use the package and sign feature, so when would this
> >> > feature
> >> > ever be used???. I believe that in truth there is no scenario where the
> >> > Digital Signature feature on the VB editor toolbar ever works in 2007.
> >> > You
> >> > can only use the Package and Sign feature. Unless I've missed
> >> > something,
> >> > this
> >> > feature seems kind of dishonest, or maybe meant to satisify some
> >> > mindless
> >> > consistency with the VB editors in other Office 2007 products that
> >> > actually
> >> > can sign code.
> >> >
> >> >
> >> > "Tom van Stiphout" wrote:
> >> >
> >> >> On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
> >> >> <(E-Mail Removed)> wrote:
> >> >>
> >> >> The way I read this article:
> >> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> >> >> that is by design: the purpose seems to be to build a setup program
> >> >> you can trust (note how the article is talking about a "signed
> >> >> package"), not to build an app you can trust.
> >> >>
> >> >> Did you try this: Code window > Tools > Digital Signature to sign the
> >> >> VBA project?
> >> >>
> >> >> -Tom.
> >> >> Microsoft Access MVP
> >> >>
> >> >>
> >> >> >I bought a Comodo code signing certificate thinking it would rid me
> >> >> >of
> >> >> >Microsoft's security message mess once and for all. It seems that in
> >> >> >Access
> >> >> >2007 the certificate only applies to the intermediate file (.accdc)
> >> >> >created
> >> >> >by the package and sign feature and not the actual database (.accdb)
> >> >> >that
> >> >> >gets extracted from the accdc file.
> >> >> >
> >> >> >When users open the accdc file, they get a chance to accept the
> >> >> >certificate
> >> >> >but once the accdb file is extracted behavior returns to the usual
> >> >> >flurry of
> >> >> >useless security messages. In other words, it seems like the database
> >> >> >is
> >> >> >signed only for as long as its in the 'wrapper' (the accdc file) and
> >> >> >its
> >> >> >no
> >> >> >longer signed once its extracted.
> >> >> >
> >> >> >Am I missing something?
> >> >> .
> >> >>
> >>
> >>
> >> .
> >>
>
>
> .
>

I should have added that the first thing I tried was to generate a
certificate with the Office 2007 "Digital Certificate for VBA Projects"
feature. The self-signed certificate had the same problems as the one I
purchased from Comodo.

Today I read some threads that seemed to indicate the code signing feature
in Access 2007 does work with ADP files. I have not tried that but threads I
found were discussing problems with the code signing being lost under certain
circumstances. So that makes the situation even more murky, why can ADP files
be signed in the VBA editor but not accdb or accde files?

"Arvin Meyer [MVP]" wrote:

> I'd say that your recourse now is with the certificate issuer. You should be
> able to sign an application, that's the purpose of the cerificate in the
> first place.
> --
> Arvin Meyer, MCP, MVP
> http://www.datastrat.com
> http://www.accessmvp.com
> http://www.mvps.org/access
>
>
> "dbguyatlanta" <(E-Mail Removed)> wrote in message
> news:02714EFE-99AF-4D27-B17C-(E-Mail Removed)...
> > "Arvin Meyer [MVP]" wrote:
> >
> >> Have you tried signing the database first, then creating your install
> >> package and signing that too?
> >> --
> >
> > Yes, that's what got this thread started. Menu option Tools>Digital
> > Signature in the Access 2007 Visual Basic editor pretends like it is going
> > to
> > work. You can select a certificate and so forth but at the last step
> > Access
> > displays an error message saying that you cannot actually use this feature
> > to
> > sign code in accdb and accde files, you have to use the package and sign
> > feature instead.
> >
> >> Arvin Meyer, MCP, MVP
> >> http://www.datastrat.com
> >> http://www.accessmvp.com
> >> http://www.mvps.org/access
> >>
> >>
> >> "dbguyatlanta" <(E-Mail Removed)> wrote in message
> >> news:E0E3CF42-4654-4E05-AE30-(E-Mail Removed)...
> >> >> The way I read this article:
> >> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> >> >> that is by design: the purpose seems to be to build a setup program
> >> >> you can trust (note how the article is talking about a "signed
> >> >> package"), not to build an app you can trust.
> >> >
> >> > Yes, that's exactly my understanding and all I would add is they have
> >> > removed the ability to sign code in the same way as the other 2007 apps
> >> > do
> >> > it
> >> > and previous versions of Office. Instead of really signing code, all
> >> > they
> >> > are
> >> > doing (essentially) in Access 2007 is signing a zip file (the accdc
> >> > file)
> >> > that contains the database. Once the database is delivered and
> >> > extracted
> >> > from
> >> > the accdc file you no longer have a code signed file and you are
> >> > subjected
> >> > to
> >> > all of the usual security warnings unless you have prepared for the
> >> > file
> >> > with
> >> > trusted locations or other workarounds. And those workarounds are what
> >> > one
> >> > is
> >> > trying to avoid in the first place by purchasing a code signing
> >> > certificate.
> >> > I suppose somebody that is offering Access databases for download off a
> >> > website might find the package and sign feature of minor interest but
> >> > wow,
> >> > this is no step forward, lots of vendors offer better, more
> >> > sophisticated
> >> > web
> >> > delivery tools. In other words, in this instance Microsoft took away
> >> > something useful and replaced it with something of little value. The
> >> > vast
> >> > majority of us doing Access development work don't need the package and
> >> > sign
> >> > feature and those that need signed delivery/installation files are
> >> > probably
> >> > all ready using better alternatives. What we need is the ability to
> >> > sign
> >> > the
> >> > database customers actually open and run to rid us of all the security
> >> > warning mess.
> >> >
> >> >> Did you try this: Code window > Tools > Digital Signature to sign the
> >> >> VBA project?
> >> >
> >> > Yes, its where I started actually, and this feature is interesting.
> >> > They
> >> > sort of pretend it's going to do something, wasting your time as you
> >> > choose
> >> > the certificate and go through the motions. Then at the last minute
> >> > they
> >> > issue an error message saying that for various possible reasons the
> >> > file
> >> > can't be signed. They specifically say in the error message that accdb
> >> > and
> >> > accde files must use the package and sign feature, so when would this
> >> > feature
> >> > ever be used???. I believe that in truth there is no scenario where the
> >> > Digital Signature feature on the VB editor toolbar ever works in 2007.
> >> > You
> >> > can only use the Package and Sign feature. Unless I've missed
> >> > something,
> >> > this
> >> > feature seems kind of dishonest, or maybe meant to satisify some
> >> > mindless
> >> > consistency with the VB editors in other Office 2007 products that
> >> > actually
> >> > can sign code.
> >> >
> >> >
> >> > "Tom van Stiphout" wrote:
> >> >
> >> >> On Thu, 1 Apr 2010 12:59:02 -0700, dbguyatlanta
> >> >> <(E-Mail Removed)> wrote:
> >> >>
> >> >> The way I read this article:
> >> >> http://office.microsoft.com/en-us/ac...0471033.aspx#3
> >> >> that is by design: the purpose seems to be to build a setup program
> >> >> you can trust (note how the article is talking about a "signed
> >> >> package"), not to build an app you can trust.
> >> >>
> >> >> Did you try this: Code window > Tools > Digital Signature to sign the
> >> >> VBA project?
> >> >>
> >> >> -Tom.
> >> >> Microsoft Access MVP
> >> >>
> >> >>
> >> >> >I bought a Comodo code signing certificate thinking it would rid me
> >> >> >of
> >> >> >Microsoft's security message mess once and for all. It seems that in
> >> >> >Access
> >> >> >2007 the certificate only applies to the intermediate file (.accdc)
> >> >> >created
> >> >> >by the package and sign feature and not the actual database (.accdb)
> >> >> >that
> >> >> >gets extracted from the accdc file.
> >> >> >
> >> >> >When users open the accdc file, they get a chance to accept the
> >> >> >certificate
> >> >> >but once the accdb file is extracted behavior returns to the usual
> >> >> >flurry of
> >> >> >useless security messages. In other words, it seems like the database
> >> >> >is
> >> >> >signed only for as long as its in the 'wrapper' (the accdc file) and
> >> >> >its
> >> >> >no
> >> >> >longer signed once its extracted.
> >> >> >
> >> >> >Am I missing something?
> >> >> .
> >> >>
> >>
> >>
> >> .
> >>
>
>
> .
>