How to distribute macro signature certificates in a domain?

[Guest]

I sign macros in my office documents and I have my macro security set to high.

How do I roll out the certificate for macro signature verification to all
hosts in an AD domain in an automated way so that these signed macros (but
only these!) are executed under a "high" security setting without the user
having to answer to any dialog box ("Do you trust this signer?")?

Thanks,
Martin

 

[NickHK]

Martin,
I would hope that is not possible.

But the user would only have to accept your cert once.

NickHK

 

[Guest]

Nick,

Thanks for the fast reply.

I would hope that is not possible.

I don't understand this statement.

My situation is the following: I will, as admin, install a software solution
on all my users' hosts. This solution contains macros. I want to preapprove
macros signed by me, so that the users don't have to make that decision, and,
in particular, never get the idea to ever accept macros sgned by anybody
else. I can not rely on my users to make the correct decision if they get the
"trust" pop-up, thus I want to be able to instruct to always press "no" if
they get a "trust" question, not sometimes "yes" and sometimes "no".

The installation for the whole solution including macros and certs has to be
fully automatic (no human interaction). Any ideas?

Thanks,
Martin

 

[Peter Huang [MSFT]]

Hi Martin,

In addition to the common deployment, we also need to deploy the trusted
publisher registry setting from a machine who already accepted it.

Office 2003
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Cer
tificates

You will have to look at the binary blob for clues to pick the right cert
if there are more than one registered.

NOTE: this is an documented behavior.


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.