first of all, thank you for "blind trust is not enough", of course you can build software youselve eliminating that risk. please do.
also, if you want to help obtaining code signing certificate, it would be beneficial.

thank you,

I am not skilled enough to audit the code and build it myself. I trust developers do the great job, it's just the signature that's missing.

There's a very affordable cloud-based code-signing certificate for open source developers for 49 EUR a year that would eliminate this issue altogether. It can be used throughout the entire university with the limitation of 5000 signs per month and that it will state "Firstname Lastname Open Source Developer", just like KeePass is signed. If this is not at all acceptable, then the standard certificate for open source software for 209 EUR a year is available also a good price, with discounts if you choose 2 or 3 year validity. Can also be used for the entire university.

I hope the university can afford it and start signing the GitHub version. Thanks in advance!

I doubt that investing time and money into signing worth that.

but you can learn it, test it and try to convince other follow your steps.

I can't believe what I'm reading 😂
In 2026, a person representing an entity that is developing a product related to security in computing - a VPN software, is questioning established contemporary cybersec best practices of signing executables to reduce being marked as malware in security products, and to provide evidence of the software origin. And they're bragging as a university-backed software. A university - meaning a frontier of science, a curator of best things we have.

Apparently not in this very case.

Are you still living in 1990s? Or under a stone?
Or do you think the entire industry of anti-virus software just conspire against you?

Even individual open-source developers provide signed binaries for Windows. And it's mandatory for macOS and Android, too. Other VPN clients are signed as well.

If this software is really university-backed as advertised, any decent university would have no problem spending 50 EUR for things like that. It's not even a rounding error in the spending balance.

This just doesn't make any sense. I'm not going to take it further.
I will just consider SoftEther VPN to really be malware. Maybe there is a covert reason behind this project not wanting to fix this issue.

You can close this if you want, my head just exploded. I'm going to get some longer walk to understand what I just witnessed.

miracle happens.

please provide your own result in signing.
it's somewhat easy - build binaries, sign them and check how malware scanners recognise it.

otherwise it is marketing hallucination.