Right. I don't think I'm going to change your mind, but the value is in the chain of integrity — you build and sign it, I download it over TLS, and I then know that I got a binary that the site intended to serve to me and that you intended to sign. It's not a perfect system by any means, but it is a useful component of an overall security strategy. That said, the issue here is just the practical one, where enough systems are starting to not accept unsigned binaries that it becomes more difficult for users. I do expect that we'll see more an increasing amount of pressure around this, as it has a real impact on security outcomes at population scale. The cheapest option currently is Microsoft's Artifact Signing process, which costs $10/month, plus of course however much of your time it takes to get it working: https://learn.microsoft.com/en-us/azure/artifact-signing/overview. Anyway, thanks much regardless!