We have just purchased a code signing certificate from DigiCert using openssl to generate a CSR, added Windows metadata to our build process using go-winres, and signed our executable using osslsigncode. We recommend automating this process for simplicity and consistency across releases. To make it easier for the next teams, we've documented our steps in detail, covering the basics of purchasing a code signing certificate, generating a CSR, adding metadata to the executable, and signing the executable itself.