none
InfoPath 2007 Full Trust XSN Code Sign Not Working RRS feed

  • Question

  • We are using InfoPath 2007 forms on workstations as an input form for a medical EMR package that a developer wrote in house, the user wanted the form to look pretty and have the ability to print exactly how it was scene on the screen so this was the solution the developer came up with.  The forms are part of a windows application and are opened within our application using the InfoPath 2007 viewer .Net Control.  

    We have been using a self signed certificate and have been inserting the certificate into the Trusted Publisher cert store on application startup so that we can update the application with a self extracting zip file, however we are tightening security on our machines at work and the practice of allowing the application to control the certificates will no longer work as they are locking down user privileges, also in my opinion this is bad practice.  It has been decided to move away from this practice and want to use a certificate deployed by our intermediate Domain CA, and utilize Group Policy to deploy certificates to user machines.

    I have a signed InfoPath 2007 form using a domain CA issued code signing certificate using a sha256RSA signature algorithm and a sha256 hash.  The certificate contains a private key and is imported to the developer personal cert store.  We create a full trust InfoPath form and sign it on the developers machine using the cert mentioned in the previous sentence.  We then exported the binary .cer of the certificate and deployed this cert using Group Policy to all user machines in our organization unit into the Local Machine Trusted Publisher certificate store.  To test the signature piece we click on the InfoPath .xsn file outside of the application environment to launch the form in native InfoPath 2007.  If we get the error that the form cannot verify the signature we know it will not work in our application as the form cannot be displayed by the Microsoft InfoPath viewer .NET control.  It is as if the InfoPath form cannot recognize the certificate installed in the cert store.  I check the cert store and see the certificate, however i do not see any registry entries where i would expect them to live:

    HKLM\Software\Microsoft\SystemCertificates\TrustedPublisher

    I am confused why none of this is working.

    Does anyone have an idea as to why the forms appear like they are not installed on the machines.  Can InfoPath 2007 utilize certificates that are sha256 signed and hashed?  
    Tuesday, April 25, 2017 3:43 PM

Answers

  • The issue is that prior to InfoPath 2007 Build 12.0.6735.5000 SP3 MSO (12.0.6766.5000) Certificates using SHA256 algorithms are not supported.  Upgrade InfoPath to the latest build.
    • Marked as answer by Nick Druda Wednesday, April 26, 2017 6:31 PM
    Wednesday, April 26, 2017 6:31 PM