Zarf has been building and signing the previous macOS builds and I hope he'll be on board with doing that for the next release.

It's my understanding as well that a Windows signing certificate costs money; I don't do any Windows development beyond Gargoyle, so I don't have a cert. If that's something that's part of the IFTF's purview that'd be good to have, without a doubt.

As for the continuous builds, I'm not sure it's feasible to have those signed, given that the private key would have to be made available to the CI environment. I suspect that CI builds will have to continue to remain unsigned, with official releases being signed.

TL;DR: Getting a Windows code signing certificate is a nightmare if you're not a big company. Avoid.

I have spent some time looking into getting a Windows code signing certificate myself, and it's not either easy or even a good idea. Not many CAs will sell code signing certificates to individual developers: in the US Comodo / Sectigo certainly did, but it's not clear whether or not they still do. In Europe the only one I could find is Certum.eu, who are based in Poland. In both cases you need to send them enough personal documentation to allow someone to duplicate your identity, and end up with a certificate publishing your home address. I am not going to email scans of my passport to an unknown company in Poland!

Involving the IFTF as the entity to which the certificate is registered is an interesting idea, and it might actually work. But there are then lots of other things to worry about:

• Does the licence from the issuing CA impose restrictions on who the IFTF could distribute the resulting certificate to? Would there be any liability on the IFTF for distributing it?
• Who would the IFTF be prepared to share the certificate with? Certainly not anyone who just asked, but equally it can't be a private club for the "in crowd".
• Would there by any liability on the IFTF is the certificate is used to sign something malicious?

Even if you do jump through all these hoops, what you end up with will be an OV (ordinary validation) certificate. That will be enough to stop the "unknown publisher" warning from Windows, but not the Windows SmartScreen one. For the later you'd need an EV (extended validation) certificate, which costs even more, is even more bureaucracy, and generally involves a hardware token to protect the private key, making sharing it among a pool of IF developers impossible.

It would be great if someone were to investigate all this. But it isn't going to be me!

As far as I can tell the certificate costs around $69 on the certum site: https://shop.certum.eu/open-source-code-signing-code.html. Please check if this license would be enough to sign the next release and installer with it.

Although I'm sure other users would want to help out here too. So some small donations might be rather easy to get :)
I'm more than happy to sponsor this.

Just signing won't solve the SmartScreen problem in all cases. At our company we use a Digicert certificate to sign Windows executables, and it still happens occasionally for nightly builds.

I believe the "best" way to minimize the probability of SmartScreen trouble (and other anti-malware software) is to use a multi-stage installer, where users initially first download a "stage 1" signed installer, which downloads the "stage 2" current latest installer and runs that.

This allows the first-stage installer to never need to change or update its bytes, allowing it to acquire a reputation with SmartScreen (and other antivirus technology).

There may or may not be a good way to solve it for nightly builds (but presumably developers/testers who need nightly builds can figure out how to manually circumvent SmartScreen).

Another thought here: Most of the time I don't install gargoyle at all. I just extract the files and use it as a portable from a seafile folder. Although having a signed or trouble free installer is surely needed I think there should should always be a simple zip for those of us who don't use the setup anyway.