>This is especially true in a CI-setting, where this is one of those areas where signing and timestamping essentially makes a reliably and deterministic process (compiling code) into a unreliable and non-deterministic process, because builds can now fail randomly based on the state of a online timestamping service.

Why are you signing your drivers during development? If not, how is the "unreliability" of timestamping services an issue? You probably can't push your stuff to prod without timestamps anyway.

> Getting this done properly is a lot more work than you at first would think.

It doesn't take a lot more work than I think.

> But for some reason (signtool.exe, etc) makes it really hard to get this done properly.

In our experience, signtool doesn't make this "really hard to get this done properly". The CI for our primary product uses a remote server for timestamping at signing. While that server doesn't go down constantly, it does go down at least once a month. This is not an artifact of signtool but the vendor.

To have security it is far better to have something fail and not sign than to sign incorrectly. The opposite, get it done attitude at all costs, was the likely cause of this article having been written about Oculus. In this case the cost was signing something incorrectly, due to a misunderstanding of the very basics of certificates, and bricking the already working primary product of the company.

Microsoft has a mode for loading unsigned drivers. Every Windows developer should already know about this. If a junior developer without this knowledge is in control of a critical build process, that's the problem not signtool.

I've met far too many people who treat a lack of security knowledge as a positive or a badge of honor of some kind. It's not a positive, it's something undesirable and a loss-leader for employers.