Please, help me with decision. Recently I start thinking about buying Authenticode certificate and signing all my assemblies in my .NET desktop app and ClickOnce installation. I’ve read a little bit and suddenly had realized that runtime signature verification could seriously slow down app loading time. AFAIK, it should hit internet multiple times during this process checking certificates chain and revoked cert list. Am I right? Also, what about closed-down environments at all? So, I scratching my head now – do I need all these troubles in exchange for getting my customer sure that this product is really made by my company?
Am I missing some point maybe? Should I sign the ClickOnce install only but not my assemblies? As on now, all the assemblies and CO manifests are just strong-named.