Windows has displayed a big scary orange prompt for at least the last decade when it isn't. More like 15-20 years IIRC.

But I'm sure people blindly click through the "Unknown author" prompt just as they would ignore a certificate error.

Like I said, theres a LOT of open source projects that show that prompt. Signing an MSI involves having a valid CA certificate, which AFAIK is not free, and goes beyond the budget of most projects.

It's not free but it's not expensive either. Most well known Windows open source projects have them; e.g. PuTTY, Wireguard, VLC, Rufus, etc.

Maybe it's high time for a free-as-in-beer CA for non-profit open source developers funded by donations?

Edit: I was wrong.

Prices on code signing certificates have skyrocketed to in excess of $500/year, due in part to continuing meddling by the CA/B forum which increased the requirements of standard certs to be the same as EV certs, and requiring the key to be stored in a hardware token—which must now be re-issued yearly.

This makes it near impossible to provide free or affordable certificates to developers. Thanks CA/B forum, lots of help as usual.

We're up for renewal with PortableApps.com. The same one year non-EV code signing certificate with a USB token that was US$246 last year is now US$434 from GlobalSign. The lower prices you see some places are for 2+ years.

Note that the certificate itself is only for 1 year regardless of how long you buy one for and you need to go through the renewal process each year just without payment.

Orange? It's a blue warning isn't it? Is this how one of us finds out he's colour blind?

The UAC dialog for unsigned software has an orange or yellow accent. You could be talking about the SmartScreen dialog. There's yet another dialog for executable files downloaded from the internet, which I think has a red shield for unsigned software.

Blue when it has a valid signature.

Orange when it's missing or invalid.

I use winget or homebrew, those tools do so for me and if something doesn't match they show an error.

Neither WinGet nor Homebrew packages/formulae provide authenticity checks. They have integrity checks for file transfer. That’s it. Where did the file come from when it was entered into the respective repository? No statement.

Whether Authenticode provides a sufficient authenticity check is yet another question, of course. Still, file integrity verification is just a side-effect.