Background information

Acrobat binaries (executables and PDFMaker Add-in DLLs) are digitally signed and their digital signatures are counter-signed by a time-stamping service. Time-stamping ensures that the digital signature remains valid even after the signing certificate has expired. When a new code is added to the binary, it is signed with the latest valid certificate and subsequently counter-signed by a time-stamping service.

Problem description

When the Require that application add-ins are signed by Trusted Publisher setting is enabled for Office Add-ins (from Trust Center Settings > Group Policy), the Office disables the Add-in and shows the warning as shown in the screenshot below.

Add-ins warning

You may interpret that the above warning is due to the expiration of the signing certificate (expired on 7/26/2015). The Microsoft support article about managing trusted publisher lists the following points, adding more to the user confusion:

===================================================

Trusted publishers are reputable and meet all the following criteria:

  • Their code is signed by their digital signature.
  • Their digital signature is valid.
  • Their digital signature is current (not expired).
  • The certificate associated with the digital signature was issued by a reputable certificate authority (CA).

===================================================

Adobe's recommendation

Adobe clarifies that when a digital signature is timestamped (counter-signed), it remains valid even after signing certificate expiration, and is considered current (not expired)”.

When you add the signing certificate to the trusted publisher list, the warning will go away and the add-in will get enabled.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy