Since you’re still a Windows user at least for now, and assuming that you’re planning on continuing to be open-source, I can recommend Certum for this. shop.certum.eu/open-source-code-signing.html

I gave up trying to initialize the USB thingy using Linux (I tried regular Arch [btw] and an Ubuntu distrobox IIRC), but once I got through the initial steps using Windows, I was able to sign ongoing builds with Linux just fine. It took a LOT of trial and error since there seem to be very few people who simultaneously

• pathologically dislike using Windows regularly
• still want to make it easier for people on Windows to minimize Windows Defender complaints when running software that they build
• have the motivation and resolve to send a lot of PII to one of a handful of companies whose longtime business model is based around reputation and trust in order to get a usable certificate
• are stubborn enough to go out of their way to still figure out how to do a subset of this stuff on Linux
• are capable of actually succeeding at that, and
• are willing to show how they did it in a way that should be reasonably easy enough to understand and adapt to your situation

I didn’t renew after my first year - I switched from publishing an executable to publishing it on the web, so I no longer had a need for it - so I don’t know how things have changed (if at all). Most of my information came from eventually stumbling upon this wiki page for a Ruby-based tool where they figured out the last bits I needed to get it to work.

• It also has instructions for initializing the USB thingy on Linux too, so if I were to renew, I’d give that a fair shot… but seeing “icedtea” and a link to a web application that no longer resolves, I’d still only recommend it if you can use a Windows machine once a year.