"Make it cost money" is, unfortunately, the first line of defense when dealing with bad actors. This is why some folks get prompted for SMS 2FA if the ML model thinks they're suspicious: a cell line costs Real Money.
Microsoft, Google, and Apple all require certificate signing for software to show up as "trusted" ($350/year is really really annoying, but it is an insurmountable wall for someone distributing hundreds of bad apps). Google's approach lets popular free software get a pass without having to pay, but, yes, it's a trade-off.
In my opinion, the easiest thing to do is to (1) put the windows binaries on a separate domain, (2) provide screenshots (not links) telling people how to download them from the other website, (3) include screenshots of how to bypass the Google warning, and (4) include instructions on how to verify the authenticity of the binary out-of-band (checksum, etc). This matches how folks handle other unsigned binaries (for example, drivers).
Microsoft, Google, and Apple all require certificate signing for software to show up as "trusted" ($350/year is really really annoying, but it is an insurmountable wall for someone distributing hundreds of bad apps). Google's approach lets popular free software get a pass without having to pay, but, yes, it's a trade-off.
In my opinion, the easiest thing to do is to (1) put the windows binaries on a separate domain, (2) provide screenshots (not links) telling people how to download them from the other website, (3) include screenshots of how to bypass the Google warning, and (4) include instructions on how to verify the authenticity of the binary out-of-band (checksum, etc). This matches how folks handle other unsigned binaries (for example, drivers).