We sell commercially an application developed in Visual Basic .NET (currently in VS 2008, though we're looking at making the upgrade to VS 2019). Reports from the application can be output as either Crystal Reports text reports displayed on screen or native Microsoft Excel files (created using Automation). One of our customers has told us that their auditors are requiring that they produce reports which are provably unaltered. While Excel is a format they prefer, there's no way to know if the cells were changed after the file was created, so for the time being they're giving their auditors Crystal Reports output exported to PDF.
If I could digitally sign the Excel file I create, I believe that would meet the audit requirement. However, I can't figure out a way to sign a document under program control, with a signing certificate that would be held safely inside the executable and couldn't be hijacked. Is this a pipe dream, a self-contradictory desire? Or is there a way to make this work? Or is there another way to accomplish the same thing, of an Excel file that can be reliably locked when it's created by a Visual Basic application?