How do I sign an XLA from Excel 2016 with a timestamp?

问题

I am struggling to sign an XLA from Excel 2016 with a timestamp. This is important, because without a timestamp the signature becomes invalid when the code signing certificate used expires. Unfortunately by default Excel does not apply a timestamp to the signature.

Microsoft's documentation (https://docs.microsoft.com/en-us/deployoffice/security/use-digital-signatures-with-office) states:

To use the time stamp functionality with digital signatures, you must complete the following tasks:

Set up a time stamp server that is compliant with RFC 3161

Use the Group Policy setting, Specify server name, to enter the location of the time stamp server on the network.

My certificate issuer, Comodo, states that their time stamping server (http://timestamp.comodoca.com) supports RFC 3161 (https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server).

I downloaded and installed the Office 2016 Administrative Template files (ADMX/ADML) from https://go.microsoft.com/fwlink/p/?LinkID=626001 in order to apply group policy settings. In the Local Group Policy Editor, I can then access User Configuration, Administrative Templates, Microsoft Office 2016, Security Settings, Digital Signatures where the relevant group policy settings are found.

I initially set the following:

Specify timestamp server name to http://timestamp.comodoca.com
Set timestamp server timeout to 20

... then when these didn't work (see below), I also set:

Specify minimum XAdES level for digital signature generation to XAdES-T
Requested XAdES level for signature generation to XAdES-T

... because XAdES-T "Adds a time stamp to the XML-DSig and XAdES-EPES sections of the signature, which helps protect against certificate expiration" - which sounds like what I need.

I am signing in the VBA Editor using Digital Signature from the Tools menu.

However, when I check the signature, I still see no timestamp.

I am checking the signature as follows (I'm not aware of a simpler way):

In the Developer ribbon, click Macro Security, select Add-ins, then check Require Application Add-ins to be signed by Trusted Publisher. Click OK, then close Excel. (I'm not a trusted publisher, so I am intentionally causing my add-in to be disabled.)
Restart Excel, and create an empty workbook. (My add-in is configured to be loaded automatically.) A SECURITY WARNING is shown due to step 1.

Click for more details as prompted, then choose Advanced Options from the Enable Content menu.

In the Microsoft Office Security Options dialog, scroll down to the add-in which was signed and click Show Signature Details. This opens the Digital Signature Details dialog which shows Signing time: Not available, indicating the lack of a timestamp:

My understanding is that a signature with a timestamp will show it here, e.g.

... but I have been unable to achieve this with my XLA.

回答1:

According to your timestamp server's documentation:

RFC 3161 timestamping is used by SignTool (using the /tr parameter) and other applications (such as jarsigner).

Our time stamping server (http://timestamp.comodoca.com) automatically selects the appropriate signature algorithm (RSA/SHA-1, RSA/SHA-256 or RSA/SHA-384) with which to sign each timestamp, based on the hash algorithm you specify (e.g. via SignTool's /td parameter).

^{(Image Source)}