Updated June 2026 | Category: Code Signing / Why Sign / Publisher Trust / Enterprise Distribution / Software Security | Reading time: 9 min
Most developers know that signing their software is something they should do. Fewer understand exactly why it matters enough to justify the cost and operational overhead. The reasons turn out to be more concrete and more impactful than ‘it’s best practice.’
Code signing directly affects whether users install your software without friction, whether enterprise customers can deploy it at all, and whether your reputation is protected when your software is redistributed through channels you don’t control. Each of these is a business outcome, not just a security checkbox.
Reason 1: Your Install Rate Depends on It
Every Windows user who downloads your software and runs it will see one of two things before the program executes. If your software is unsigned, they see a UAC dialog with a yellow or orange warning header and the words ‘Do you want to allow this app from an unknown publisher to make changes to your device?’ If your software is signed with a trusted code signing certificate, they see a blue dialog showing your verified company name: ‘Do you want to allow this app from [Your Company] to make changes to your device?’
These two experiences have measurably different outcomes. The yellow warning with ‘unknown publisher’ signals to users that Windows cannot verify where the software came from. Non-technical users see a warning they cannot interpret and choose the safe option: Cancel. Users who are sophisticated enough to understand the warning correctly know that ‘unknown publisher’ means no verified identity: they are right to be cautious.
A signed binary doesn’t just change the color of a dialog. It changes the user’s confidence in the decision they are being asked to make. When your verified company name appears in the UAC prompt, users can make an informed choice. When ‘unknown publisher’ appears, the only rational response for a cautious user is to cancel.
SmartScreen and the first-download experience
Beyond UAC, Microsoft Defender SmartScreen evaluates software reputation when users run downloaded files. New software from any publisher shows a SmartScreen overlay warning users that the application is unrecognized. Clicking ‘More info’ reveals the publisher identity: your verified company name if signed, ‘Unknown publisher’ if unsigned or using an untrusted certificate.
SmartScreen reputation accumulates over time as users download and run your software without incident. For signed software, this reputation is associated with your verified publisher identity. Each release from the same publisher builds on the previous publisher history. For unsigned software, reputation is file-hash based with no publisher context, and each new release starts fresh from zero.
The combination of a verified publisher name in the SmartScreen dialog and accumulated publisher reputation significantly reduces the friction users experience over the lifecycle of your product. The first release of a signed application will still show a SmartScreen warning while reputation builds. Subsequent releases from the same signed publisher accumulate faster. Unsigned software restarts the reputation clock with each release regardless of how long the product has existed.
Installation abandonment is one of the most undertracked conversion losses for software publishers. Users who encounter the ‘unknown publisher’ UAC warning or an ‘unrecognized app’ SmartScreen warning frequently abandon the installation rather than proceeding. These abandonments rarely generate support tickets or feedback: the user simply doesn’t install. Code signing converts some portion of these abandoned installations into completed ones, and the improvement is ongoing for every installation your software receives.
Reason 2: Enterprise Customers Cannot Deploy Unsigned Software
Consumer users can choose to proceed through security warnings. Enterprise IT administrators often cannot, or will not, make that choice for their organization. Corporate Windows environments increasingly deploy application control policies that block unsigned software from running entirely, before any user prompt appears.
Windows Defender Application Control
Windows Defender Application Control (WDAC), formerly Device Guard, is a Microsoft security feature that allows IT administrators to define which applications are permitted to run on managed devices. WDAC policies can be configured to require that all executable files be signed by a trusted publisher. An unsigned executable on a WDAC-enforced machine doesn’t show a warning: it simply doesn’t run.
WDAC adoption has grown significantly in enterprise environments following CISA and NIST guidance that positions application control as a critical security control. Organizations that have deployed WDAC are implementing a systematic policy, not a per-application decision. If your software is not signed, it cannot be added to the allow list by publisher identity and must either be explicitly file-hash-approved (which requires IT effort and breaks on every update) or remain blocked.
Endpoint management platforms
Microsoft Intune, Microsoft System Center Configuration Manager (SCCM), and similar enterprise endpoint management platforms are used by IT teams to deploy software to managed devices. These platforms have certificate-based deployment controls that allow administrators to configure which publishers’ software can be installed. Signed software with a known publisher certificate can be added to approved publisher lists. Unsigned software requires manual per-application approval.
For enterprise software vendors, a prospect’s IT department frequently performs a security review before approving software for deployment. The absence of a code signing certificate is a finding in that review. Some organizations have written policies that explicitly require all third-party software to be code-signed before installation is permitted. A customer whose IT policy requires signed software cannot deploy your product without an exception process that adds delay, additional scrutiny, and potential for the deal to stall.
The enterprise sales implication
If your software targets enterprise customers, code signing is not a security nicety. It is a prerequisite for deployment in a growing proportion of enterprise environments. The question is not whether enterprise customers want signed software but whether their current policies already require it or will require it when they next update their security standards. Addressing signing before enterprise sales conversations avoids a situation where signing becomes a blocker late in the evaluation process.
| Without code signing | With code signing |
| UAC shows ‘Unknown Publisher’: yellow/orange warning header | UAC shows verified company name: blue header |
| SmartScreen ‘publisher unknown’ in More info dialog | SmartScreen shows verified publisher name; reputation builds with each release |
| WDAC policies block the application or require manual file hash approval | Can be added to approved publisher list by certificate |
| Enterprise security review flags absence of signing as a finding | Enterprise security review passes certificate verification |
| Third-party redistribution cannot be distinguished from tampered versions | Tampered redistributions invalidate the signature and show signing errors |
Reason 3: Your Software Gets Redistributed. Signing Protects Your Reputation
Software publishers distribute through official channels: their website, the Microsoft Store, GitHub releases, package managers. But software also gets redistributed through channels the publisher doesn’t control: download aggregators, mirror sites, torrent networks, file sharing platforms, and sometimes direct user-to-user sharing. You cannot stop this redistribution, and you cannot audit every copy of your software in the world.
This creates a specific risk: an attacker who obtains your software from one of these channels can modify it, add malware, and redistribute the trojanized version. To users who encounter it, the software appears to be your legitimate product. If they report it as malicious, the malware may be associated with your software’s name in security databases. The reputational and legal consequences can affect your legitimate product.
How code signing breaks the trojanized redistribution attack
When you sign your software with a trusted code signing certificate, the signature covers the entire file content. Any modification to any byte of the signed executable after signing invalidates the signature. A trojanized version of your software cannot carry a valid signature matching your publisher identity, because the attacker does not have your private key.
When a user runs the trojanized version, Windows performs Authenticode signature verification. The modified file’s content no longer matches the signature’s hash. Windows displays a signature error or falls back to ‘Unknown Publisher’ rather than your verified name. The user is warned before executing the malware, and importantly, the warning does not associate the malware with your company name. The attack is blocked and your identity is not falsely attributed to the malicious file.
Without signing, a trojanized version is indistinguishable from your legitimate software by any automated means. Windows has no way to detect the modification. The malicious file runs without warning, the user attributes the harm to your software, and the trojanized version may be reported to antivirus vendors as malware under your software’s name. The damage to your reputation from malware bearing your software’s name but without your signature is real and difficult to reverse.
Non-repudiation: proving you signed what you shipped
Code signing provides non-repudiation: a cryptographic proof that a specific file was signed by the holder of a specific private key at or before a specific time (if timestamped). This works in both directions. If a malicious file circulates claiming to be your software, the absence of your signature proves it is not your software. If a legitimate copy of your software is questioned, your valid signature proves you produced it.
Non-repudiation matters in incident response. When a security incident is attributed to software, verifying whether the involved binary carries a valid signature from the legitimate publisher is one of the first investigative steps. A signed binary from a verified publisher that matches the legitimate release eliminates the legitimate publisher from the investigation. An unsigned binary or a binary with a broken signature is a different question entirely.
What It Costs Not to Sign
The arguments for code signing are often framed in terms of what you gain. It is equally useful to consider what you lose by not signing:
- Every installation that abandons on the Unknown Publisher UAC dialog: an unconverted potential user who saw a warning they could not interpret.
- Every enterprise prospect whose IT policy requires signed software: a stalled deal or a deal that never starts.
- Every trojanized redistribution that runs without a signature warning: a user who is harmed and associates the harm with your software’s name.
- Every new version that restarts from zero publisher reputation with SmartScreen: extended friction period for each release rather than building on accumulated history.
An OV code signing certificate from a major CA costs between $100 and $400 per year depending on the CA and term. The combination of install-rate improvement, enterprise deployment enablement, and distribution channel protection provides returns that substantially justify this cost for any software with commercial distribution goals.
Getting Started With Code Signing
For Windows software, the steps are:
- Obtain an OV code signing certificate from a trusted CA (DigiCert, Sectigo, SSL.com, GlobalSign, or others)
- Complete OV validation: typically 1-3 business days once your organization information is confirmed in QIIS databases
- Sign your executables, installers, and DLLs using signtool.exe from the Windows SDK, including a timestamp
- Verify your signature with signtool verify and check that the publisher name in the UAC dialog matches expectations
- Set up certificate expiry monitoring and renew approximately 60 days before the certificate expires
For macOS software, the equivalent is a Developer ID Application certificate from the Apple Developer Program, plus notarization. For Android, APK signing keys are self-generated. For Linux packages, GPG signing is the standard.
Frequently Asked Questions
Is code signing required to distribute Windows software?
Required by Windows itself: no. Windows can run unsigned executables. Required in practice: increasingly yes. Windows Defender Application Control can block unsigned software entirely on managed machines. Enterprise customers with security policies may not be able to install unsigned software in their environments. Microsoft Store submission requires MSIX signing. And the user experience of running unsigned software (yellow UAC warnings, SmartScreen blocks) creates friction that directly reduces install rates. For software distributed beyond a small trusted circle, signing is a practical requirement for commercial distribution.
Can I use a free certificate like Let’s Encrypt for code signing?
No. Let’s Encrypt issues TLS/SSL certificates for website HTTPS, not code signing certificates. Code signing certificates require at minimum OV (organizational identity) validation, which Let’s Encrypt does not perform. Code signing certificates also require the Code Signing Extended Key Usage, which TLS certificates do not contain. There is no free equivalent of a commercial code signing certificate for general Windows Authenticode signing. Microsoft Trusted Signing is available at approximately $10 per month, which is the lowest-cost commercial option from a major provider.
Will code signing make my software completely trusted immediately?
Code signing provides verified publisher identity immediately: from the first user who runs your signed binary, the UAC dialog shows your company name rather than ‘Unknown Publisher.’ What requires time to accumulate is SmartScreen reputation: Windows Defender SmartScreen evaluates how many Windows machines have seen and run your software without incident. New signed software from a new publisher still shows a SmartScreen warning while this reputation builds, typically clearing within days to weeks for actively distributed software. Signing is the prerequisite for building publisher reputation; it establishes the identity that reputation attaches to.
Gloria Bradford is a renowned expert in the field of encryption, widely recognized for her pioneering work in safeguarding digital information and communication. With a career spanning over two decades, she has played a pivotal role in shaping the landscape of cybersecurity and data protection.
Throughout her illustrious career, Gloria has occupied key roles in both private industry and government agencies. Her expertise has been instrumental in developing state-of-the-art encryption and code signing technologies that have fortified digital fortresses against the relentless tide of cyber threats.