I've got a brand new code-signing certificate and have been wondering which files I should sign.
Clearly, the setup .msi package and all .exe which run elevated should be signed to avoid "unknown publisher" warnings, but should I sign other executables, e.g. .exe which don't need elevation, .dll or .oxc?
Microsoft themselves seem to handle this inconsistently:
- In Office 2007, all executable files are asigned
- In Visual Studio 2008, all .exe and many .dll are signed, however, there are also lots of unsigned DLLs (apparently strong-named assemblies, maybe they consider strong-naming sufficient)
- In Windows (7), neither executables nor dlls are signed (not even executables that need UAC, like mmc.exe!)