Does my Windows app needs to be signed with a trusted certificate?

Question

I developed a Windows app using C++ and QT library. The app doesn't require elevated privileges to run.

I'm going to distribute my app as an MSI installer downloaded from a website. The installer will be signed using my signed certificate.

However, I haven't signed the EXE file and I don't see any issues with that. There's no security warning shown when I start the app after the installation.

So the question is, should I sign the EXE file as well? If I don't sign it, will there be any issues?

For example, after I downloaded the Dependency Walker tool, it shows me a security warning about an unverified publisher every time I run it. My EXE file isn't signed as well, but I don't see any warnings.

I'm wondering if I can encounter any issues if I release the unsigned EXE file within my signed MSI installer.

Answer 1

It would certainly be preferable for the EXE file to be signed, but it is not ordinarily mandatory. Windows will not warn users when running an unsigned executable file unless the file has a zone identifier or is being elevated ("run as administrator").

However, unsigned files are more likely to experience false positives from security software, may cause users or administrators to be concerned about the trustworthiness of the file and/or process, and are more difficult for administrators to whitelist in high-security environments.