Tuesday, September 16, 2008

InfoPath 2007 Digitally Signed Form Templates

By Hristo Yankov

If you are developing a K2 blackpearl / InfoPath 2007 / MOSS solution, at some point of time you might need to digitally sign your Form template. One of the reasons you may need to do that is, if you have to give 'Full Trust' to the form. That's because MOSS will not allow you to submit (or event start filling out) a new InfoPath form, which requires full trust but is not digitally signed.

The process is pretty straight-forward - in InfoPath you click on the Tools in menu, select 'Form Options' and navigate to the 'Security and Trust' tab.

Then you click on the 'Sign this form template' checkbox and choose a certificate (or create a new one).

After doing this, you might be thinking that your InfoPath form is digitally signed and you can safely use the 'Full Trust' settings. In reality, after you deploy your solution and attempt to create a new InfoPath form in the Form Library, you get the following error:

"The form template is trying to access files and settings on your computer. InfoPath cannot grant access to these files and settings because the form template is not fully trusted. For a form to run with full trust, it must be installed or digitally signed with a certificate."

Now, let's think about how we usually edit InfoPath forms, which are already integrated with the K2 process. Usually we click on the InfoPath integration icon which opens the wizard and then we click on the 'Design' button, which opens the InfoPath application for us, so we can edit it.

(InfoPath Integration Wizard)

The problem with this approach is - by modifying the InfoPath form, K2 blackpearl invalidates your digital signature and effectively removes it. What happens is - you click on the 'Design' button, open the InfoPath form, set the signature, save the form, close it, 'Finish' the wizard, but next time you open the InfoPath form, your signature is gone. Even if you modify the InfoPath form outside the K2 studio, in the process of deployment, your signature is being destroyed again.

As a conclusion - there is no way you can deploy digitally signed InfoPath form, through the K2 blackpearl studio!

Fortunately there is a work-around. After deploying your solution, follow these steps:
  1. Navigate to your MOSS website
  2. Navigate to your Form Library where the form was deployed
  3. Click on Settings -> Form Library Settings
  4. Click on the 'Advanced settings' link
  5. Click on 'Edit template' link (Select 'Yes' at the question, if any)
  6. It will open the InfoPath form in design mode for you and will prompt you to save it somewhere. Don't overwrite the InfoPath form which is in the K2 project. Just save this on the desktop, or somewhere else.
  7. Now, in the InfoPath go to the Tool -> Form Options... -> Security and Trust and select full trust radio-button.
  8. On the same screen - sign the form
  9. Save the InfoPath on the desktop again
  10. Use the Publishing wizard in the InfoPath application (File -> Publish...) to republish the form into the form library.
Now your InfoPath form is digitally signed and ready to use. Unfortunately, you will have to follow those steps after each deployment.

Bookmark and Share


Anonymous said...

Why do I need to publish with Full Trust. My form template does not have any code behind. Please help me understand.

HY said...

Well, this article is just covering the scenario when you need Full Trust. One of those scenarios is the code behind in the InfoPath. I think if you don't have it, you won't need full trust.

Ramesh said...

hi,i dev one k2 blackpoint wf with infopath form. i deploy in to the k2porocess portal.
i have one qns:
if i m download the infopath and save it some where like desktop and create digital signature and deploy into infopath library.that form should not be integrate with k2 process which ever i created in early.
how it will be integrate with K2 process portal.

Please advise i m wrong way.

Petya Gaytanska said...

Hi Kodu

When you edit the form as Hristo described in his post, you edit only its properties to make it fully trusted. This way connection with K2 will be kept. Note that if you want to make other changes on the form, you need to do them though K2 studio, otherwise may end up with inconsistency and your workflow will not work.