Signing VBA Code in Access .accdb databases - A (bad) joke?

by Philipp Stiefel, originally published September 5th, 2017

Photo by Wokandapix. Used here under CC0 licensing

Signing executable code is a good idea. I absolutely support this idea in general and I definitely would do this much more often, if it were easier and more versatile and straight-forward to implement.

Recently the IT-department of one of my customers requested that Microsoft Access applications I develop for them are digitally signed with a code signing certificate. They provided a code signing certificate (PBX-File) issued by their internal Root-CA together with the private key for that certificate.

With the initial hurdle of obtaining a certificate already out of the way, I was very open to this request and went right to work.

Setup and preparations

I imported this certificate into my local Personal certificate store (automatically chosen by the import wizard.) Then I imported it again into the Trusted Publishers certificate store. The latter is not required to sign code, but it will prevent a warning/confirmation message when a file signed with this certificate is opened.

Then I set the Macros Settings in the Access/Office Trust center to “Disable all macros except digitally signed macros”.

So far, so good. Everything was set up and now it should have been easy to sign the VBA code in my Access applications, shouldn’t it? - Think again!

Sign VBA code

The classic approach in Access to sign your VBA code is to open the VBA environment. Use the “Tools” - “Digital Signature …” menu item, Choose the certificate you want to use and confirm the dialog(s) with OK. - Done, the project is signed. - Simple it had been, but it was no more.

Access (2010) surprised me with this nasty message:

Microsoft Access cannot save the digital signature at this time.
- You may be in a database under Source Code Control.
- You may be in a database which is read only.
- The database uses either the *.accdb or *.accde file name extension. To sign such a database, click the File tab, point to the Publish menu, and then click Package and Sign.

Source code control? - No, not this time.

Read only? - Certainly not!

*.Accdb database? Yes, indeed my database was in the .accdb format. That is the recommend file format from Access 2007 onward, isn’t it?

Well, I was not too annoyed by the message, yet. It seemed to suggest an easy alternative.

I did as I was told, went to the File tab in Access, selected Package and Sign, and hit the Save As button. I selected the certificate for signing and Access created an .accdc file from my database for me. Everything seemed to work smoothly

After the file was created, I opened the .accdc file from Windows Explorer. Access opened the file without any security warning and further confirmation. (Because I added the certificate to the Trusted Publishers already, otherwise I would have had to confirm this. You would have the option to “Trust all from publisher” then.)

Access then asked for a file location to extract the file to. I deliberately selected a local folder that was not a Trusted Location. Access extracted the actual accdb-database from the accdc container.

And then things went downhill. - They actually did before, but it was not noticeable, yet.

Where’s my code signature?

When I opened the actual database nothing happened. The VBA code was not executed. So it seemed the VBA code in this database was not signed at all. - Remember: I set the option “Disable all macros except digitally signed macros”.

I double checked all the settings, recreated the “Signed Package”, and triple checked everything again. - No joy, no running VBA.

After running out of ideas, I finally opened the “signed” .accdb file in a hex editor and searched for the signature.

The signature was easily locatable in a signed mdb-format database, it was also in the .accdc package file, but there was no trace of the signature in the accdb file that was supposed to be signed.

There was a simple explanation for this: It . was . not . there!

Conclusion

I am still in disbelief, but research on the web confirms my findings. The Package and Sign feature intentionally only signs the otherwise useless .accdc container. But it does not at all sign the database inside.

This whole feature is only intended to provide a container for Access databases you want to put on the web for download. It is similar to a signed installer file, but has no effect whatsoever on the actual database.

I cannot comprehend what the guys at Microsoft were thinking when implementing this. There is an official article by Microsoft on Access database code signing. It totally conceals the fact that code signing Access .accdb files is almost completely useless. It states that you actually “digitally sign a database”, which is not true!

The only option to prevent warnings or automatically disabled VBA code in your deployed Microsoft Access databases is to use Trusted Locations.

I hope you read this text before you wasted time and money on acquiring a code signing certificate and trying to sign your Access database. - It’s pointless.

Post Scriptum - This is Access accdb specific!

PS: Just to be clear on this. This whole issue is specific to Microsoft Access and the .accdb file format. The VBA code signing feature in other Microsoft Office applications, like MS Word or MS Excel works as expected and is usable in many scenarios.

Share this article: