I think you answered your question, subscribe only where necessary to avoid prompting.
There are only a few reasons why I will consider everything.
- This may have some advantage with the antivirus vendors, your files are more reliable, so there is less support / installation hassle.
- It marks the file as more reliable for the average user, for example, when I clean the virus infected system using autorun from MS. I tend to look for crappy material that doesn't have a signature; it draws a mile.
- You want to look more professional.
I donโt know what the overhead of verifying a signature is, so older systems can be slower. In addition, if your certificate is owned by a cheap certificate provider, the root CA may not be included in older platforms (XP pre SP2, etc.).
Oh yes, I would only do this as part of the assembly (integrated into MSBuild or the build server), as this can become tedious.
Do not forget that someone else has not gained access to your key, otherwise you will cancel it, and suddenly the settings may stop working. Therefore, use a self-signed certificate for developers and keep the real key on the build server.
Bit bitming, but there is no right answer, I think.