We can obtain a code signing cert from a public CA - they will probably require a greater level of verification of the requestor (DBA, certificate of incorporation, etc…) before issuing the cert. I think that our Global Sign (CA) contract may already be of the sort that is capable of issuing code signing certs. It would be good to understand what the VCS installer is requiring from the cert (signing chains and such), it may be possible to get Milestone to include our code CA signing chain, and then we can use our internal CA. A better approach - for actual code signing is to use time-stamping as this eliminates the problem of trying to verify a chunk of code that was signed (and valid), but at the time of verification, the code signing cert has expired…
Milestone have methods for this, and we do not have any recommendations or guidelines for signing your software.