When creating our MSI installer, we are signing our code but is it standard practice to also sign code that is not ours but will be included in our installer? For example, there are some system DLL's and OCX's that we distribute that are not ours but are not signed. Should we be signing them when we distribute?
That is a question of your policy, and of the licenses under which you distribute the third party code. Often you are not allowed to modify a third party's redistributable, in which case you should not be signing it. Furthermore the implications of signing their code is that you are certifying it to be what you represent it to be - that's not something I'd want to do.
If you're trying to sign PE files so you can get Vista Logo certification, however, you may evaluate the choices differently; however the ideal case is if is to get the third party source to sign their files, and then you can redistribute them already signed.
