Why isn't the Windows binary signed?

Code-signing certificates for Windows cost roughly €250–700 per year. ssh-tool is currently a bootstrapped, self-funded project, so signing isn't in the budget yet. It is on the roadmap.

In the meantime: every binary is reproducibly built from a tagged git commit, served over HTTPS, and published with a SHA256 hash next to the download. You can verify the hash yourself before running the file.

The warning you see in Chrome or Firefox is download-time reputation, not malware detection — unsigned binaries from low-volume sources don't have an established reputation with SmartScreen yet.

If you want to verify a download:

certutil -hashfile ssh-tool-windows-amd64.exe SHA256

Compare the output to the SHA256 on the releases page.