We currently sign our MSIs, but we don't sign our executables. Signing our executables would prevent users running our binaries from seeing a "Publisher could not be verified" warning, allow our publisher reputation to convince antivirus products that new, unseen, release artifacts are valid, and allow our binaries to participate in AppLocker policies which locked systems down to running software by trusted publishers.