Concerning code signing: Azure has a somewhat new offering that allows you to sign code for Windows (SmartScreen compatible) without having an EV cert. It is called "Trusted Signing" [1], non-marketing docs [2]. The major gotcha is that currently you need to have a company or similar entity 3 years or older to get public trust. I tried it with a company younger than 3 years and was denied. You might have a company that fits that criteria or you might get lucky.
The major upside is the pricing: currently "free" [3] during testing, later about 10 USD/month. As there doesn't seem to be a revocation mechanism based on some docs I read, signed binaries might be valid even after a canceled subscription.
[1] https://azure.microsoft.com/en-us/products/trusted-signing
[2] https://learn.microsoft.com/en-us/azure/trusted-signing/quic...
[3] You need a CC and they will likely charge you at some point. Also I had to use some kind of business Azure/MS 365 account which costs about 5 USD/month. Not sure about the exact lingo, not an Azure/MS expert. The docs in [2] was enough for me to get through the process.