Sunday, October 09, 2011

Trust me, I’m digitally signed

InfoPath has this concept of trust levels. A form template can be running in one of three levels of trust – Restricted, Domain or Full Trust. By default, InfoPath uses the Restricted trust level. This prevents you accessing any resources outside of the form template. If you add any managed code or data connections, InfoPath will raise the trust level to Domain. Sometimes your template needs to include code that requires the Full Trust level. If that’s the case, then you need to jump through extra hoops to enable this level.

There are two approaches that you can use to enable Full Trust – deploying the form to desktops using an installation package or digitally signing a form. To me, the first approach is cumbersome, as it requires you to redeploy the form any time there are changes. That’s fine if your forms are very stable, but most of the forms we work on go through multiple updates. Perhaps there are easy ways to redeploy forms using products like SCCM, but I haven’t any experience with them.

The second approach – digitally signing - allows you to deploy the form to a SharePoint forms library or network share. For me, this makes life easier if you need to update the template.

So what is involved in digitally signing an InfoPath template? In this post, I’ll walk you through my recent experiences. Digital signatures is just one of the many areas I’m no expert in, so please forgive any incorrect assumptions I have made. I was inspired to write this post due to the lack of information I found when researching this topic myself.

To state the obvious, before you can digitally sign a form template, you are going to need a digital certificate. This certificate needs to be issued by a “Certificate Authority” (commonly called a CA) that is trusted. My understanding is that our operating systems maintain a list of Trusted Root Certification Authorities. In Vista and Windows 7, this list of root certificates is updated any time your computer encounters a certificate signed by a Certificate Authority that it doesn’t already know about. You can read more about this on TechNet.

If you want to have a look at the list of Root Certificates on your computer, open Internet Explorer 9, then go to Internet Options – Content – Certificates – Trusted Root Certification Authorities. Have a look at the Untrusted Publishers while you are there. It just goes to show that you can’t trust everyone.

image

I believe that it is possible for an organisation to set up their own certificate server and register themselves as a Trusted Root Certification Authority on computers within their own network, but that is not something I have played with. Instead, we decided to purchase a certificate from Thawte, one of the main commercial Certificate Authorities.

My first challenge was trying to figure out exactly what I needed to buy. I couldn’t find any reference to InfoPath code signing on any of the Certificate Authority web sites. They all seem to offer a bunch of certificate types and it was unclear to me which one I needed. For example, Thawte offer a Microsoft Authenticode certificate and a Microsoft Office VBA certificate. Well, InfoPath is an Office product, but I’m not signing VBA code. I decided to go with the Authenticode option.

When I first started looking into digital signing, I wasn’t sure what exactly I needed to purchase a certificate for. Did I need a certificate for each InfoPath form template, for each computer that needed to sign forms or for each person? It turns out I was purchasing a certificate for my company. We could then sign any number of InfoPath forms with this certificate. We could deploy the code-signing certificate to as many computers as we wanted and it could be used by as many staff members as we wanted. It makes sense though to keep a tight control over who has access to the certificate, otherwise you run the risk of your certificate being used to sign code that you really don’t want to be associated with.

In my next post, I’ll walk you through the steps for purchasing a cert, installing it on a computer and then signing your InfoPath form template.