When opening a file that contains signed add-ins, you may see the following warning message:

Warning: The digital signature is valid but is from a publisher whom you have not yet chosen to trust.

The following scenarios could trigger such a warning:

  1. When the `requireaddinsig` security policy is enabled.

    Note: This registry policy asks users to only use add-ins signed by a trusted publisher.

  2. After a system update.

Explanation

This is a known issue. When the ‘requireaddinsig’ security policy is enabled, the system validates that all signing certificates are stored in the Trusted Publishers store before loading the add-in or any associated Dynamic Link Library (DLLs).

These certificates are used not only for signing the add-in but also for signing the associated official DLLs. The official certificates are owned by Microsoft, but due to technical limitations, they cannot be embedded within the Office installer. As a result, developers or admins need to manually update the certificates in the Trusted Publishers store when new versions are issued.

In this case, the affected DLLs include:

  1. VSTOEE.DLL

  2. FDATE.DLL

  3. MOFL.DLL

  4. IMCONTACT.DLL

  5. FSTOCK.DLL

  6. FBIBLIO.DLL

  7. Azure DevOps add-in

Workaround

To resolve the warning:

  1. Install the required certificates manually.

  2. Export the certificates as .cer files before installing them.

Since the certificates are not updated frequently, manual review is required when a new version is issued.

Export public key certificate

To export a public key certificate to a .cer file:

  1. Search for the affected .dll files (for example, vstoee.dll usually can be found at `C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll` or `C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll`).

  2. From the search results, select the .dll file, right click and select Properties.

  3. Under the Digital Signatures tab, select the signature under Embedded Signatures and then select Details.

  4. Select View Certificate in the Digital Signature Details dialog.

  5. Under the Details tab, select Copy to File to export the end certificate to a .cer file.

  6. Under the Certificate Path tab, select the root certificate and then select View Certificate.

  7. ​​​​​​​Under the Details tab, select Copy to File within the root certificate's Certificate dialog, to export the root certificate to another .cer file.

Deploy the certificates

End users

End users can deploy the certificates by installing the exported certificates to their local certificate store. Users can open cmd as an administrator and run the following commands:

1. certutil -addstore -f "Personal" {cert path}

2. certutil -addstore -f "TrustedPublisher" {cert path}

Organization Admin

Organization admins can use deployment tools like Group Policy Object (GPO) to deploy certificates to all the organization members. For more information or troubleshooting help, please contact the deployment tool's support service.

Facebook LinkedIn Email

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center