It’s become neigh impossible to get your own code signing cert these days. The 2025 update from the CA forum required code signing certs to be short lived (no more three or five year certs) and stored exclusively on an HSM. As a result, most companies cross-signing these certs have moved to a subscription PaaS model where you are issued a cert but never receive custody of it, and perform signing via their APIs, and are at their mercy should they decide to block your account.

Anyway, even if you could get your own cert it would be same thing: MS could revoke or blacklist your indicate cert (though usually the grounds for doing so are much less shaky than your account being suspended for vague “tos violations”)

I was afraid of the HSM at first but for an open source developer (rather than a big company) I found it wasn't a big deal. I can't sign in GitHub Actions and I have a USB stick that lights up when I sign releases, but it hasn't been a blocker. I got mine from Sectigo Store. This isn't hypothetical, I really did it, I've got the HSM, it works. It wasn't difficult. It just cost some money and a little bit of time. "Nigh impossible" is a tremendous exaggeration. I'll concede "annoying and expensive" perhaps. If you've got the money, you can get the HSM. You don't have to re-buy the HSM when you renew your certificate.

The store account was painful to set up, I'll note. My developer account had also been cancelled by Microsoft for unknown reasons, and I ultimately had to set up a brand new one. New email, new name. My new account has my middle initial because I couldn't clash with the existing, closed account. My first and last name alone are banished forever from the store.

The "same thing", as you concede, isn't the same thing. Quantity has a quality of its own: one happens all the time and we're reading an article about it happening right now. In the comments there's another prominent maintainer who it happened to, and it happened to me personally! That's three right here! The other happens so infrequently that people in this same HN thread are complaining that it isn't happening enough. Can you find an example that's like Veracrypt and WireGuard? In practice, it seems they rarely do this, even when they should. You can actually view the list under "Manage computer certificates" > "Untrusted Certificates." On my computer the entire list is 20 certificates.

I'm standing by my suggestion, 100%. These aren't equivalent risks at all.