Microsoft InfoPath 2010
The official blog of the Microsoft InfoPath team

Digitally Signed Fully Trusted Form Templates

Digitally Signed Fully Trusted Form Templates

  • Comments 12

In the InfoPath 2003 Service Pack 1 Preview you can create a fully trusted form template by signing the XSN with a code signing certificate.  Here’s what you do:

 

  • While in the InfoPath designer, select Tools | Form Options | Security
  • Uncheck the “Automatically determine security level based on form’s design
  • Select Full Trust
  • Click the Sign this form button

At this point, you need to choose a certificate that can be used for code signing.

 

If you do not have a certificate, you can choose the Create Certificate button.  This will create a test certificate – not a certificate that has been authenticated by a certificate authority.

 

While you are developing your form template, you will not be able to preview with full trust permissions unless you register the form template. 

 

The first time your users fill out the form that you have signed with a certain certificate, they will see a Security Warning dialog that notifies them that the form template is digitally signed and asks if they trust the publisher.  Once they have checked the box to trust the publisher, they will be able to open any form template that asks for full trust and is signed with that same certificate.

 

You can view the list of trusted publishers in the SP1 version of InfoPath by selecting Tools | Options and clicking on the Trusted Publishers button.

 

If users find that the option to trust the publisher is disabled, that means that the root of the certificate used is not trusted on the user’s machine. 

 

When you received your code-signing certificate, you asked the CA (Certificate Authority) for it. What the CA delivered to you is a certificate that is now in your personal folder that is trusted by you and by anybody who trusts the CA that issued it.  So, for example, if you get a code signing certificate from Verisign, any user will have the option to trust you as a publisher as long as they also have Verisign in the list of Trusted Root Certification Authorities on their machine.  Once a user has trusted the root of a certificate, the option to trust the publisher will be enabled in the Security Warning dialog that is displayed when they fill out a fully-trusted, signed form.

 

Users can trust the root of a certificate through the Security Warning dialog that comes up when they open a form template.  When the Security Warning dialog is open:

 

  • Click on the Details button
  • Click on the Certification Path tab
  • Click on the CA Root Certificate
  • Click View Certificate button
  • Click Install Certificate
  • Follow through the Certificate Import Wizard
  • After the import is successful, close out of all of the dialogs
  • Open the form to fill out again and when the Security Warning is displayed the option to trust the publisher should be enabled.

 

 

Leave a Comment
  • Please add 7 and 7 and type the answer here:
  • Post
  • This is really a nice overview. Thanks.

    What happens when the code-signing certificate expires?
  • Must I do this also if I want to debug my fully trusted forms or is there an easier way? Now I sign my form, publish it, open the xsn, and attach the debugger to the InfoPath process... This is quite time-consuming...
  • You should register the form during development time to debug. Here's a topic talking about debugging fully trusted forms with managed code:
    http://blogs.msdn.com/davfries/archive/2004/07/13/182648.aspx
  • Could I ask you a question about Regform tool?
    After using Regform.exe to register a form designed as fully trusted form, I can't find any change in the template.xml and manifest.xml files except an attribute(requirFullTrust = "Yes") add in manifest.xml. But why? This is my input: Regform /U urn:miti:bbi /T Yes d:\miti.xsn.
    I want to know why urn:miti:bbi didn't be added to the two files above.
    Waiting for reply! Thanks a lot!
  • Hi,

    Is there any way to deploy the InfoPath forms on the client, without requiring a server.

    What i am doing is creating a Infopath form and adding that into a word's Document Information Panel but word has a following restriction:

    "The Document Information Panel template cannot be opened because it was published to the local computer or an Internet or untrusted site. Install or publish the template to a local intranet or trusted site and then try again."

    do you have any idea about this?

    Thanks

    Manoj

  • Hi,

    Manoj I have the same issue.  Did you manage to resolve it?

    Thanks

  • PingBack from http://panvega.wordpress.com/2009/03/03/how-to-apply-digital-signature-in-infopath-for-webbrowser-ie-signing/

  • PingBack from http://cellulitecreamsite.info/story.php?id=9992

  • Did is not the case for Infopth 2010. How I Digitally Signed Fully Trusted Form Templates in Microsoft InfoPath 2010.

  • InfoPath 2010 still allows you to sign your form template. You can do this form the File/Form Options dialog's Security tab. Set the permissions to Full Trust, and select the signing certificate.

    Note that the dialog gives you an option to generate a certificate. This certificate is both short-term (one month expiration) and also self-signed (meaning a consumer has to install your cert in their trusted store), and should therefore only be used for testing purposes. Real signagtures should be sent to your appropriate cab-signing service.

  • sharepointsolution2010.blogspot.com/.../change-document-information-panel-with.html

  • Thats all very well, but when the certificate expires, submitted forms are no longer viewable until the underlying template is republished with a valid certificate.

Page 1 of 1 (12 items)