We need better OSes such that signing of software is not required to keep your computer safe.

Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway

I suggest that developers could self-sign to verify the legitimacy of future updates. Otherwise leave it unsigned.

This entire "big tech overlords have to sign apps & drivers to keep you safe" concept is one giant pile of nonsense.

On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.

[0]: https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...

It should something like web certificates, you can bring your own.

I think this is fundamentally an unsolvable problem and I'm not even sure it's worth pursuing.

Any large scale signing platform will have large oversights and be rendered useless. See the appstore / play store/windows...