If you can agree that there is no way to safeguard the application secret key other than keeping it on a server (no matter how u try to bury it in the desktop application, it could be hacked no?), then you have to let your desktop application 'instances' use some sort of API to get their messages signed.
But, you don't want to let anyone just come in and hit this API! That could be expensive, in terms of CPU, bandwidth, and hosting costs. So you want to make sure the desktop application is indeed authorized to do so. So then you need some sort of authentication scheme between your desktop applications and your server... username/passwords being a common such way.
I'm afraid I still don't quite understand how a username and password is required.
If it is free to sign up for a username and password, then people could just sign up with your service and then hit your API directly. All you've added is an inconvenient barrier for your users that wouldn't stop an attacker. After all, if the attacker can be bothered figuring out how your application talks to your server, he or she can probably be bothered signing up for a username and password.
On the other hand, if your application costs money, then why not require a valid license key to access your server. True, you'll get the problem of people pirating software and reusing the license key, but it shouldn't be too hard to monitor your server logs and ban any license key that is submitted by a large number of unique IP addresses in a short period.
But, you don't want to let anyone just come in and hit this API! That could be expensive, in terms of CPU, bandwidth, and hosting costs. So you want to make sure the desktop application is indeed authorized to do so. So then you need some sort of authentication scheme between your desktop applications and your server... username/passwords being a common such way.