Sign Office macros with a Code Signing certificate

Q: Can I sign Office files from Azure Key Vault?

Yes. Use AzureSignTool with the x86 .NET host ( C:\Program Files (x86)\dotnet\dotnet.exe ) or publish with the -r win-x86 flag. The signing process is identical to executable signing, but you must run it three times.

Sign VBA projects in Excel (.xlsm), Word (.docm), PowerPoint (.pptm) and other Office files. This guide covers both USB token and Azure Key Vault signing, including the critical 32-bit requirement that causes most signing failures.

Why sign Office macros?

✓ Trusted execution without security warnings when opening the file
✓ Group Policy enforcement: IT departments can restrict execution to signed macros only

✓ Tamper protection: V3 signatures fix CVE-2020-0760
✓ Enterprise requirement: many organisations mandate signed macros in their security policies

Critical: 32-bit signing requirement

Office SIP (Subject Interface Package) DLLs are 32-bit. You must use the 32-bit version of signtool.exe or the 32-bit .NET host for AzureSignTool. Using 64-bit tools is the #1 reason people fail at signing Office files.

You also need the OfficeSIPs package from Microsoft (download ID 56617) which provides msosipx.dll for modern Office formats and msosip.dll for legacy formats.

Setup

1. Install OfficeSIPs

Download the OfficeSIPs package from Microsoft Download Center (ID 56617) ↗. Extract the package and locate msosipx.dll (modern formats) and msosip.dll (legacy formats).

2. Register with 32-bit regsvr32

Use the 32-bit regsvr32 to register the SIP DLL:

C:\Windows\SysWOW64\regsvr32.exe msosipx.dll

3. Locate 32-bit signtool

The 32-bit signtool is found in the x86 directory of the Windows SDK:

C:\Program Files (x86)\Windows Kits\10\bin\<version>\x86\signtool.exe

Signing with signtool (USB token / SafeNet)

Use the 32-bit signtool with the /sha1 flag to identify your certificate by thumbprint. Run the command three times to create all three signature types.

Run 3 times (creates Legacy, Agile, V3 signatures):

signtool sign /sha1 YOUR_THUMBPRINT /fd sha256 ^
  /tr http://timestamp.digicert.com /td sha256 ^
  "C:\path\to\your-file.xlsm"

Always include timestamping (/tr) so signatures remain valid after the certificate expires.

Signing with AzureSignTool (Azure Key Vault)

Use the x86 .NET host or publish AzureSignTool with the -r win-x86 flag. Run the command three times (same as signtool).

Run 3 times (creates Legacy, Agile, V3 signatures):

"C:\Program Files (x86)\dotnet\dotnet.exe" tool run AzureSignTool sign ^
  -kvu https://your-vault.vault.azure.net ^
  -kvc your-certificate-name ^
  -kvt YOUR_TENANT_ID ^
  -kvi YOUR_CLIENT_ID ^
  -kvs YOUR_CLIENT_SECRET ^
  -fd sha256 ^
  -tr http://timestamp.digicert.com ^
  -td sha256 ^
  "C:\path\to\your-file.xlsm"

Triple-signing explained

Office VBA projects use three separate signature formats. Each pass of signtool creates one additional signature.

Pass	Signature	Storage	Notes
1	Legacy	vbaProjectSignature.bin	Original format, all Office versions
2	Agile	vbaProjectSignatureAgile.bin	Office 2010 and later
3	V3	vbaProjectSignatureV3.bin	Fixes CVE-2020-0760. Microsoft 365 2102+, Office 2019/2016 with updates.

Supported file types

Modern OOXML formats (uses msosipx.dll)

.xlsm.xlam.xlsb.xltm.docm.dotm.potm.ppam.ppsm.pptm

Legacy formats (uses msosip.dll)

.xls.doc.ppt

The signing process is the same for all file types.

Common errors and solutions

"File format cannot be signed because it is not recognized"

OfficeSIPs (msosipx.dll) are not registered, or you are using the 64-bit signtool. Register with 32-bit regsvr32 and use the x86 signtool.

Signature is not visible in Office

You only signed once instead of three times. Office requires all three signature formats (Legacy, Agile, V3) for the signature to appear in the VBA editor.

AzureSignTool fails to sign Office files

You are not using the x86 .NET runtime. Use C:\Program Files (x86)\dotnet\dotnet.exe to run AzureSignTool, or publish it as a self-contained x86 binary with -r win-x86.

Code Signing certificates

OV Code Signing

DigiCert CodeSign OV

DigiCert OV Code Signing. Broad platform support.

from €475 /year See details →

GlobalSign CodeSign

GlobalSign OV Code Signing. Strong brand.

from €375 /year See details →

EV Code Signing

DigiCert CodeSign EV

DigiCert EV Code Signing. Required for kernel-mode drivers.

from €740 /year See details →

GlobalSign CodeSign EV

GlobalSign EV Code Signing. Hardware key included.

from €428 /year See details →

See all products with prices →

Frequently asked questions about Office macro signing

Find answers to the most common questions about SSL certificates and FairSSL.

Can I sign Office files from Azure Key Vault?

Yes. Use AzureSignTool with the x86 .NET host (C:\Program Files (x86)\dotnet\dotnet.exe) or publish with the -r win-x86 flag. The signing process is identical to executable signing, but you must run it three times.

Do I need a separate certificate for Office macro signing?

No. Any Code Signing certificate works (OV or EV). The Extended Key Usage 1.3.6.1.5.5.7.3.3 covers both software signing and macro signing.

Why do I need to sign three times?

Office VBA uses three signature formats: Legacy (for older Office versions), Agile (for Office 2010+) and V3 (introduced to fix CVE-2020-0760, a tamper vulnerability). All three are needed for full compatibility and security.

Why does signtool say "file format cannot be signed"?

Either the OfficeSIPs (msosipx.dll) are not registered, or you are using the 64-bit signtool instead of the 32-bit version. Office SIP DLLs are 32-bit, so you must use the 32-bit signtool from C:\Program Files (x86)\Windows Kits\10\bin\<version>\x86\.

Ready to sign your Office macros?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates