Digital signature lost under specific conditions

[Nikolay]

Visio may break digital signature of VBA project, thus resulting in the message about "corrupted digital signature" (below screenshot)

The steps to reproduce the problem:

- Create a digitally signed stencil with VBA macro (Stencil1.vss). Create a module there, say Module1, with a function called Sub1 doing nothing
- Create a digitally signed drawing (Drawing1.vsd)
- Add a reference the stencil from the drawing (add reference to VSS) to VBA project. This is quite specific, and I have hardly seen anybody using this feature. Or maybe it's just me. To do that, open VBA IDE, then go to "Add reference..." and select the stencil created at the step 1 (Stencil1.vss). Yes, you can add references not only to DLLs but also to Visio files. Amazing.
- Use some code from the stencil in the drawing to make sure the reference is actually created. Add some function there like calling Module1.Sub1 in ThisDocument
- Save everything
- Try opening - should be fine.
- Now move stencil to another (accessible to Visio!) location. Like, to "My Shapes" for example (if before you created it in the same folder as the drawing)
- Open the drawing again (should be opened properly)

- Save ==>> Here is the problem. It looks like Visio updates the VBA project with new referenced stencil path, thus breaking the digital signature. BOOM

- Close and open the drawing again. BOOM. Invalid digital signature



Could somebody please verify/confirm?
The easier steps (the files are attached, signature-issue.zip):

- Download and unzip the attached zip file (Drawing5.vsd + Stencil5.vsd)
- Open the drawing file. Visio prompts about security. Click "Trust all from publisher" (the publisher is me, you can remove that later)
- Close and open the file again. Should be opened fine, you should be able to see both diagram and stencil are signed (in the VBA Project)
- Save the file (<= here it breaks it), and close it.
- Open the file again => broken signature message.

[vojo]

one of the reasons I stay away from VBA and visio.   Excel, so far, has been fine.

[Visio Guy]

Hi Nikolay,

I downloaded and followed your steps.

I saved Drawing5.vsd to Drawing5-2.vsd. I was able to save, close and re-open Drawing5-2.vsd without any issues.

It appears that Stencil5.vss is opened invisibly - perhaps through the VBA project reference?

Anyway, two more observations:

1. Using stencil references has always made me nervous since we could first do it many, many years ago. It seemed to cause crashes every once in awhile for reasons I never figured out.
2. My certificates (used only in VSTO add-ins) were completely messed up a month or two ago, but seem to be working again. I'm not sure if there is some sort of internet-checking that goes on that was messed up, or a Windows update, or what. Never figured it out, but it seems to be working again.

[Nikolay]

Dear Chris, thank you for trying out
I'm trying to "go deeper" to be 100% sure that's the case , trying to see what's exactly changed in the VBA by Visio on save.

It turns out there is a tool to extract information from a binary VBA project file (vbaproject.bin block in Visio file, which can be easily accessible if you save the file as .vsdm)
The thing is called oledump: https://blog.didierstevens.com/programs/oledump-py
In python. Not sure if it works for Visio, but will try to figure out.

Please note that to reproduce the issue you should have the security set to "enable only digitally signed macros" at least (or stricter).
And follow the steps in my post exactly - deviations (like not saying "trust all from publisher", but enabling macros instead) lead to a different result