Problem Excel trusting my Add-In

Add-in Express™ Support Service
That's what is more important than anything else

Problem Excel trusting my Add-In
 
ewessely




Posts: 35
Joined: 2019-01-31
Hello,
I've developed an AddIn for Excel and having troubles passing as trusted Addin.
I've signed each and very file (my dll, the adxloaders,...) with an EV certificate from Globalsign.
The click-twice installation works fine, but as soon as you switch on "Require Application Add-ins to be signed by Trusted Publisher" in the Trust Center only the Excel-AddIn is loaded but not the COM Add-In.

I also tried to install my certificate to the "Trusted Publisher" (which is shown then in Trust-Center) but without success.

Any Ideas what I'm doing wrong?

Best regards

Erich
ew
Posted 05 Mar, 2020 11:48:49 Top
Andrei Smolin


Add-in Express team


Posts: 17176
Joined: 2006-05-11
Hello Erich,

I assume the add-ins are developed as two modules in the same assembly. Also I assume that adxloader.dll.manifest wasn't changed by *you*. Anyway, is the add-in publisher specified correctly if you select your add-in in the File | Options dialog window? Then, open the folder where the add-in is registered, right-click 32bit and 64bit loaders, switch to the Digital Signatures tab, select a digital signature and click Details: do you see the text "The digital signature is correct" ?

You can also create a new COM add-in project supporting Excel. Add an Excel XLL module to the project, uncomment the sample function in the code of the XLL module. Sign the add-in as you do this with your real add-in and let it load. Does the issue persist? If yes, please send us the complete test project folder to the support email address; make sure your email contains a link to this topic.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 06 Mar, 2020 07:49:55 Top
ewessely




Posts: 35
Joined: 2019-01-31
Hello Andrei,
many thanks for your prompt answer - as usual :-)

As suggested I created a completly new project and did reproduce the behaviour.
Sidenote: In my real project I'm doing the signing with the MS signtool in a post-build event after obfuscation. I did not take care of signing the xml - my fault, sorry. But the signing process is still a litte bit strange...

Results of research:

My environment:
Win 10
Visual Studio Professional 2019 (16.4.5)
ADX 9.4.4644
EV Codesigning certificate from GlobalSign.

1)
set the signing options via addin express signing options
Result: Not accepted as trusted Add-In. Although SHA1 and SHA256 is checked the files are only signed SHA256

2)
after a further searching I did find the following entry in your forum which seems to point into the right direction.
I disabled the signing options via your plugin and used the adxpatch to sign the manifest. By signing the manifest file, the adxpatch seems to sign also the loader files and my dll. This time the manifest was signed SHA1 and the other files SHA1 and SHA256
Result: The Addin is passing the trust-settings in excel. :-)

3)
Now let's automate the process:
Use adxpatch as a Post-Build event in VS2019 to sign the manifest in the bin\Debug folder.
Result: During the build process you see in the output:

 
1>  AdxSignTest -> C:DataTestAdxSignTestAdxSignTestinDebugAdxSignTest.dll
1>  Update resources 'C:DataTestAdxSignTestAdxSignTestinDebugdxloader.AdxSignTest.dll'... success.
1>  Update resources 'C:DataTestAdxSignTestAdxSignTestinDebugdxloader64.AdxSignTest.dll'... success.
1>  Sign 'C:DataTestAdxSignTestAdxSignTestinDebugAdxSignTest.dll'... success.
1>  Sign 'C:DataTestAdxSignTestAdxSignTestinDebugdxloader.dll.manifest'... success.
1>  Sign 'C:DataTestAdxSignTestAdxSignTestinDebugdxloader.AdxSignTest.dll'... success.
1>  Sign 'C:DataTestAdxSignTestAdxSignTestinDebugdxloader64.AdxSignTest.dll'... success.

Everything looks fine...
But: NONE of the loader and also the manifest is not signed - only the my dll!!!

4) Based on step 3: Put the sign command with the adxpatch into the a file "sign.cmd" and add a "pause" into the cmd file. Run this as postbuild - event with
START /WAIT cmd /c sign.cmd

to see a real command window. On "pause" the command window keeps open and waits for a keystroke.

Result: As long as the command window from the post-build is not closed, you can analyse the results in the bin\debug and will see, that all files are signed correctly as expected.
But: as soon as you hit a key (which will close the command window from the post build) the postbuild (with no further commands) will continue and someone is overwriting the loaders and the manifest with an unsigned version. Strange...


Conclusio:
Integrated signing does not work as expected in VS2019
Post-Build process is not suitable for using adxpatch. Unknown which process overwrites the allready signed files.

Workaround:
In my case I've also an setup-project.
*) Disable Build of the Addin in the Configuration manager of the setup-project
*) Build the Addin
*) Sign the Addin with adxpatch from the command line
*) Build your setup project


Any idea what's going on here? I'm a big fan of automation for reducing human faults. But currently I've no clue who is overwriting the allready signed files.
Maybe you've some idea?


Best regards

Erich
ew
Posted 07 Mar, 2020 13:06:49 Top
Andrei Smolin


Add-in Express team


Posts: 17176
Joined: 2006-05-11
Hello Erich,

We can't reproduce this.

Your certificate should be added to the Trusted Publishers in Офисе; see https://www.spreadsheet1.com/how-to-add-certificate-to-trusted-publishers-in-excel.html.

ewessely writes:
But: NONE of the loader and also the manifest is not signed - only the my dll!!!


This occurs because the Add-in Express package installed in the IDE overwrites the loader files when you build the project. Sign the add-in in the PreBuild event of the setup project instead.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 09 Mar, 2020 06:20:24 Top
ewessely




Posts: 35
Joined: 2019-01-31
Hello Andrei,
thanks for your response.

Of course, I added the certificate to the trusted publisher... ;-)
We can't reproduce this.

Do you mean step one - signing via the integrated signing option?
Which type of certificate do you use? Which dev-environment?
It seems that the integrated signing option has another signing process than adxpatch.

Sign the add-in in the PreBuild event of the setup project instead.

...seems to be my last option :-(

Best regards
Erich
ew
Posted 09 Mar, 2020 07:41:07 Top
Andrei Smolin


Add-in Express team


Posts: 17176
Joined: 2006-05-11
Hello Erich,

Does this work for you? If not, please provide details.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 10 Mar, 2020 04:42:25 Top
ewessely




Posts: 35
Joined: 2019-01-31
Hello Andrei,

the workaround is ok for the moment - not very nice and comfortable, but ok.
Steps for the workaround
*) Build the Add-In project but do NOT sign
*) In the setup-project
- exclude the dll coming from primary output (why: adxpatch signs the dll in the bin/debug (or release) folder but
the setup-project will take the dll from the obj folder which is not signed
- manually add the dll from the bin/debug (or release) folder to the project
*) Add a Pre-build event to the setup-project to sign the adxloader.dll.manifest which automatically signs the rest
*) run a build of the setup-project
*) go to the Add-In project and publish. Important: Set "Sign version_info.xml" in preferences (don't know why, but otherwise the update would throw an exception about an unsigned version_info.xml)


What will not work:
If you sign the Add-In dll in the obj folder with the signtool. (idea behind is not to modify the automatically generated filestructure of the setup project). The hashcode is different and the install process fails.

Again:
The workaround works for me, but this behaviour gives room for improvment for the next release - it could be so easy to just enabling the signing in the Add-In project as intended ;-)

Thank you and have a nice week!
Erich
ew
Posted 10 Mar, 2020 13:40:34 Top
Andrei Smolin


Add-in Express team


Posts: 17176
Joined: 2006-05-11
Hello Erich,

Thank you for sharing your ideas with us!

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 11 Mar, 2020 04:41:49 Top