So I took the general advice and didn’t bother renewing the codematic code signing signature.
The published version of the worksheet unprotector is signed, but the signature expired a while ago. It was valid and in-date when I signed it, although I did not timestamp it. (I hadn’t seen anything to suggest it was (effectively) obligatory)
So I got this screenshot from a potential customer (or maybe not after this farce). (Actually it was the French version – but I thought this would be clearer for most sos readers)
Signing my code effectively timebombs it – Excel 2007 will claim its invalid and refuse to even load it, even from a trusted zone, once the sig has expired.
Not signing my code just gets the user a quick familiar ‘enable macros?’ warning.
It’s not a hard choice is it? even ignoring the rip-off nature of buying a cert.
I’m not totally clear how all of this helps security, as it just makes code signing even less attractive. Is something that was signed but has expired really more of a security risk than something that was never signed? Bearing in mind everything that is signed will expire at some point.
I guess I should test it with something that is signed and timestamped, and expired. Has anyone else done that?
At this stage I’m all set to totally give up on signing. I really want to sign my code, because I think its the right thing to do. Perhaps I should just get over myself – who is going to immitate a codematic tool with some nastyware?
Hmm what shall I spend the 200 quid I have saved by not buying a cert on?