Digitally Signed Fully Trusted Form Templates

In the InfoPath 2003 Service Pack 1 Preview you can create a fully trusted form template by signing the XSN with a code signing certificate.  Here’s what you do:

 

  • While in the InfoPath designer, select Tools | Form Options | Security
  • Uncheck the “Automatically determine security level based on form’s design
  • Select Full Trust
  • Click the Sign this form button

At this point, you need to choose a certificate that can be used for code signing.

 

If you do not have a certificate, you can choose the Create Certificate button.  This will create a test certificate – not a certificate that has been authenticated by a certificate authority.

 

While you are developing your form template, you will not be able to preview with full trust permissions unless you register the form template. 

 

The first time your users fill out the form that you have signed with a certain certificate, they will see a Security Warning dialog that notifies them that the form template is digitally signed and asks if they trust the publisher.  Once they have checked the box to trust the publisher, they will be able to open any form template that asks for full trust and is signed with that same certificate.

 

You can view the list of trusted publishers in the SP1 version of InfoPath by selecting Tools | Options and clicking on the Trusted Publishers button.

 

If users find that the option to trust the publisher is disabled, that means that the root of the certificate used is not trusted on the user’s machine. 

 

When you received your code-signing certificate, you asked the CA (Certificate Authority) for it. What the CA delivered to you is a certificate that is now in your personal folder that is trusted by you and by anybody who trusts the CA that issued it.  So, for example, if you get a code signing certificate from Verisign, any user will have the option to trust you as a publisher as long as they also have Verisign in the list of Trusted Root Certification Authorities on their machine.  Once a user has trusted the root of a certificate, the option to trust the publisher will be enabled in the Security Warning dialog that is displayed when they fill out a fully-trusted, signed form.

 

Users can trust the root of a certificate through the Security Warning dialog that comes up when they open a form template.  When the Security Warning dialog is open:

 

  • Click on the Details button
  • Click on the Certification Path tab
  • Click on the CA Root Certificate
  • Click View Certificate button
  • Click Install Certificate
  • Follow through the Certificate Import Wizard
  • After the import is successful, close out of all of the dialogs
  • Open the form to fill out again and when the Security Warning is displayed the option to trust the publisher should be enabled.