Up to about 2022 we didn't 'bother' signing our code.

This caused some interesting failures.

A customer would be running just nice, then tell us "We didn't change anything but the software stopped working"

After sometimes days of investigation, we would find that their Anti-Virus got updated and the updated one decided that some of our code was unsafe.

If the AV was nice, it would rename the file something like filename.dll.AVDeleted

It it was only a little nice, it would move it to a quarantined folder

If it was nasty, it would delete it.

If it was nasty, it would delete it inside the zip inside the zip of our install package, so it looked like we had never even shipped that file.

After doing research, we found that there appeared to be various levels of signed packages.

• you can self sign. The AVs typically treat this as unsigned, they don't trust you to say "trust me, I'm safe".
• you can go with a low cost so called 'trusted' certificate. Some AVs will respect those, but the low cost makes them easy for evil people to buy, and the low cost ones can't afford to really check everyone out, so it is fairly easy for bad actors to get one of these certificates ... and as a result some AVs also treat these as not trustworthy.
• you can go with a high cost very trusted certificate. AVs seem to respect these. We suspect largely due to one of the reasons for the cost is these certificate providers go through a lot to make sure you really are who you say you are, and if you ever get a bad reputation, you'll never be able to get a high quality certificate again. As a result, extremely few of these are dangerous and so the AVs trust them - after all, they have to trust something otherwise everything has to be done by heuristics and that means you will always get some things wrong.