Created attachment 144453 [details] macro signed template imagine an enterprise environment, where users should work with templates (containing macros) and macro security level is set to "High": steps to reproduce: - set Macro Security to "High": Menu "Tools/Options.../LibreOffice/Security/[Macro Security...]" - open attached template: Menu "File/Templates/Open Template ..." - check "[x] Always trust macros from this source" and [Enable Macros] btw: is there an option to prevent users trusting a signed macro? imho it would make sence to have an option to allow only macro's signed with preinstalled/validated certificates. - verify signatures: document (banner below toolbar) and macro (Menu "Tools/Macros/Digital Signature..." - close template - open a document from template: Menu "File/Open.../macro_signed_template.ott" - document and macro signature's have been removed. - but [Run Macro] will still work! - save "Untitled 1" as "test.odt" and close - open "test.odt" - macros execution is disabled now "repair" test.odt: - copy "META-INF/macrosignatures.xml" from "macro_signed_template.ott" to test.odt's "META-INF" folder. - open "test.odt" - [Run Macro] will work again conclusion: macro signature's should not be removed as long as macro source code has not changed. problem: - open "test.odt" - Menu "File/Tools/Macros/Edit Macro" - edit macro (for example change msgbox text) *without* saving the document - [Run Macro] will work! - save and close - open "test.odt" - macro will not work conclusion: macro execution should be disabled as soon as macro source code has changed. user should be warned editing signed macro code.
Confirm that the behavior is as you describe. Test system Ubuntu 18.04, Version: 6.1.1.0.0+ Build ID: 30c178dcb3301527ad92bbd245d1525ab77e314e
Scope of this bug is a bit wider (applies to all documents), but the example is duplicate to bug 42316.
I stumbled over this while looking for a bug like 129311. So I'll just add some update Finished parts: * macro signatures should not be removed as long as macro source code has not changed => bug 42316 * prevent users to trust a signed macro with *High* macro security set and locked trusted authors list => bug 129311 This leaves: * signed macros should be disabled as soon as the source code has been changed (and therefore invalidated the signature) * user should be warned when editing signed macro code This bug shows exactly why I don't like a single bug for multiple problems. Maybe someone will remember to close this bug at some point, if finally all parts are fixed, maybe not :-( More bugs will be opened eventually, if some additional part can be / is fixed. I also removed the bug 107882 from the "see also" list. I don't see any connection between some Cyrillic StarBasic editor problems and this bug.
Dear Oliver Brinzing, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
Fixed in 7.2 resulted in the following commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=1dc71daf7fa7204a98c75dac680af664ab9c8edb author Samuel Mehrbrodt <samuel.mehrbrodt@allotropia.de> 2021-01-18 15:24:48 +0100 committer Thorsten Behrens <thorsten.behrens@allotropia.de> 2021-01-28 12:45:30 +0100 Improve macro checks Missing was bug 158090 , with that I set this as Fixed.