An update to my last post: you can use signtool with a certificate in the Windows certificate store; it doesn’t have to be in a file. In the command line, instead of specifying a file to use with the /f option, specify part of the certificate’s subject name with the /n option, as in:
signtool sign /n “Part of subject name” /p newpassword hidden.exe
You can leave off the /p (for password) option if you don’t have the certificate protected by a password.
The advantage of this is that some trusted corporate administrator can install the certificate on each developer’s PC, marked as “not exportable”. Then the developers can use the certificate to sign code on that PC, but can’t take a copy of the certificate elsewhere with them. It’s not a perfect solution, but it seems a good compromise.