We produce a content management system. It’s a database-based system, used only by businesses and organizations, and never downloadable from the Internet. That is, it’s not the kind of software someone might stumble upon and wonder what it is and whether it’s safe to run. Over the 20+ years our system is being sold, its executables have never been digitally signed. Is it time for us to start signing them?
For starters, I can think of a few pros and cons:
- Pro: If using Verisign certificates, Windows Error Reporting can be used
- Pro: When Windows Vista and Windows 7 show one of those annoying UAC messages, signed applications are presented a bit more nicely
- Con: Certificates cost money. Not a lot, but if they’re useless it’s too much
- Con: Signing has some maintenance overhead, how much I don’t know.
From the tech side you already stated the pros/cons.
From the business point of view it depends on your users, maybe if you are selling B2B it wouldn’t matter as if you were selling B2C or to less savvy users whom would appreciate more a nicer UAC message.
Honestly, I wouldn’t worry…. If you haven’t had the urge and can’t find a really good reason, then it’s not important yet.
I’d rather spend those efforts improving something else.