Best Practices for Code Signing Certificates
Minimize access to private keys
Protect private keys with cryptographic hardware products
Time-stamp code
Understand the difference between test-signing and release-signing
Authenticate code to be signed
Virus scan code before signing
Do not over-use any one key (distribute risk with multiple certificates)
Revoke stolen keys
For more information,
 PKI Consortium 
provides a
 best practices whitepaper 
on Code Signing