I suggest that developers could self-sign to verify the legitimacy of future updates. Otherwise leave it unsigned.

This entire "big tech overlords have to sign apps & drivers to keep you safe" concept is one giant pile of nonsense.