@Phil: indeed InnoSetup has support for signing uninstaller and installer integrated. That's quite helpful, though you still need to enter the full parameter list. I'm not sure how good the integrated support is where it comes to SHA1+SHA256, would need to test whether it supports two calls (right now I use a helper exe I wrote for that purpose).
I was btw. hoping that the packages post build even would affect rebuilding the Lazarus IDE as well, but that didn't happen
While I would support signed installers and executables, the "rebuild from source" aspect would get rid of the signature as soon as you add another package to the IDE.
@Thaddy: You don't need to get them from Microsoft, you can get certificates from a number of companies like Comodo, VeriSign, DigiCert, StartSSL, and a bunch more. You don't need to get them from Microsoft - you get them from the same companies that sell you certificates for websites. And as with https websites, there are advantages, but it's not free, that's true. With StartSSL, I paid once for the identification and could create as many certificates as I wanted later (so after I paid for it to get the website secure, I didn't have to pay for the code signing cert), but StartSSL got some quite bad press recently and I wouldn't recommend them any more.
In todays malware-poisoned world, it's nice to be able to show that a file has not been modified since leaving the original author. A correctly signed file is proof that it isn't infected by a virus (unless the author himself has infected the file). It makes it easier to trust software. Similar to https websites (unless you use the free LetsEncrypt), where you can verify who owns the server. I know that making users feel more comfortable in using a software isn't the main focus of noncommercial software, but users would benefit from it anyway
The required steps are the same as with https certificates - you need to proof your identity. Which comes at a cost.
On Windows since Vista, the UAC dialogs look different if a file has been signed. If you're writing drivers, you need to sign them. If you're writing WSC modules, you need to sign them. Not sure about Windows 10 S, but I would assume that signing files is getting even more important there. Same on the Mac... the system gets more closed with every release. I'm not saying that this is a completely good development, but it has some good aspects.
But speaking about open systems reminds me of something. Nearly twenty years ago, before I even knew about Authenticode, I supplied pgp signatures with the files of my application. That could be something worth adding as well, and would be something useful on Linux.
Anyway, my apologies if anyone was mislead to believe this would make free signing possible, as you seem to imply. That's indeed not the case. See my second sentence: "This is only useful for those developer who invest into getting a codesigning certificate".