I've got a brand new code-signing certificate and have been wondering which files I should sign.
Clearly, the setup .msi package and all .exe which run elevated should be signed to avoid "unknown publisher" warnings, but should I sign other executables, e.g. .exe which don't need elevation, .dll or .oxc?
Microsoft themselves seem to handle this inconsistently:
I think you answered your own question, sign only where needed to avoid prompting.
There are only a few reasons where I would consider signing everything.
I don't know what overhead there is in checking the signature though, so older systems may be slower. Also, if your cert is from a cheapo cert supplier then the root CA might not be included in older platforms (XP pre SP2 etc).
Oh yes, I'd only do it as part of the build as well (integrate into MSBuild or a build server) as it could get tedious.
Remember to not let anyone else get access to your key otherwise you'll have it revoked and all of a sudden, installs might stop working. So use a self signed cert for devs and keep the real key locked down on a build server.
Bit rambling, but there is no right answer I think.