IME lack of adoption is more due to lack of tooling and integration with popular languages and libraries.
Also, the domains that have the most to benefit from SGX (heavily regulated ones like healthcare) tend to be very slow adopters of new technology.
I guess there is definitely some level of concern for sidechannel attacks, given Intel's track record, but I don't think that's whats been holding back adoption.
No it doesn't. Getting a whitelisted code signing key just requires you to agree that you won't distribute malware. You pay nothing for it and Intel don't see the code you sign. Please don't make things up because they "sound right".
Only Intel know what chips they've manufactured and what microcode patch levels are currently considered secure, so that wouldn't make much conceptual sense. But the new DCAP feature lets you run some of the RA infrastructure yourself, yes.
Also, the domains that have the most to benefit from SGX (heavily regulated ones like healthcare) tend to be very slow adopters of new technology.
I guess there is definitely some level of concern for sidechannel attacks, given Intel's track record, but I don't think that's whats been holding back adoption.