Except when the signtool.exe defaults to SHA-1, generating a signature that Windows won't accept. And then you need to add an arg for a timeserver. And args in a wrong order just silently generate a useless signature. And documentation for all of it is mostly from IE5.5 era, fragmented over several unfinished reorganizations of MSDN.

And tooling for managing the certs is another pain. Mine required entering a PIN from a GUI every time certs were touched, so I couldn't automate the builds.