Does my Windows app needs to be signed with a trusted certificate?

Question

I developed a Windows app using C++ and QT library. The app doesn't require elevated privileges to run.

I'm going to distribute my app as an MSI installer downloaded from a website. The installer will be signed using my signed certificate.

However, I haven't signed the EXE file and I don't see any issues with that. There's no security warning shown when I start the app after the installation.

So the question is, should I sign the EXE file as well? If I don't sign it, will there be any issues?

For example, after I downloaded the Dependency Walker tool, it shows me a security warning about an unverified publisher every time I run it. My EXE file isn't signed as well, but I don't see any warnings.

I'm wondering if I can encounter any issues if I release the unsigned EXE file within my signed MSI installer.

Answer 1

It would certainly be preferable for the EXE file to be signed, but it is not ordinarily mandatory. Windows will not warn users when running an unsigned executable file unless the file has a zone identifier or is being elevated ("run as administrator").

However, unsigned files are more likely to experience false positives from security software, may cause users or administrators to be concerned about the trustworthiness of the file and/or process, and are more difficult for administrators to whitelist in high-security environments.

Answer 2

Generally speaking, if the container (the MSI file) is signed and therefore has not been tampered with between its creation and use by the customer then you can trust the content when it gets extracted. Signing is something used mostly at deployment, whether via MSI install or installing a driver, or when you transfer the file to someone else. If there were a scenario where you'd ask some other person or company to use that executable outside of installing it from the MSI file they would probably prefer that it be signed to verify that it's from you and your company.