Let's recap: my commercially distributed plugin is currently unsigned. I'm debating the question whether I should invest the time and money and sign the plugin. I published a poll last week on the subject and the answers are quite definitive.
Here are the results:
- 87% voted that they simply don't care.
- 13% voted that they will check the website before proceeding.
- Not a single vote claiming that he/she will never install an unsigned plugin.
- 79 people voted, out of 727 reads for the article. That's almost 11%. For comparison, the poll on XML handling got about 13% participation. That's almost 20% more. As I see it: people that don't care are less inclined to vote. People who oppose will likely vote, to have their strong opinion heard.
If you still going to sign your code, go with Peter's tip and buy the certificate from Tucows. At $75, they seem to be the cheapest around and you get exactly the same certificate (they buy them in bulk...).
I still think there's a point in keeping the unsigned warning when installing such a plugin. Some people will check the origin to make sure it is bona fide. But then, again, I've never heard of a malicious Eclipse plugin. I guess there's always a first time...