Do I need to code sign my executables to add my application to WinGet?

Question

The WinGet spec lists the Minimal singleton YAML file example (which I will display below as of 6/17/2021) shows a SignatureSha256 value, which I think signifies that the executables must be signed... Which costs money.. as there are only a handful of CAs in the Microsoft Trusted Root Program. Am I correct to think that the executables must be signed?

PackageIdentifier: "Microsoft.WindowsTerminal"
PackageVersion: "1.6.10571.0"
PackageLocale: "en-US"
Publisher: "Microsoft"
PackageName: "Windows Terminal"
License: "MIT"
ShortDescription: "The new Windows Terminal, a tabbed command line experience for Windows."
Installers: 
 - Architecture: "x64"
   InstallerType: "msix"
   InstallerUrl: "https://github.com/microsoft/terminal/releases/download/v1.6.10571.0/Microsoft.WindowsTerminal_1.6.10571.0_8wekyb3d8bbwe.msixbundle"
   InstallerSha256: 092aa89b1881e058d31b1a8d88f31bb298b5810afbba25c5cb341cfa4904d843
   SignatureSha256: e53f48473621390c8243ada6345826af7c713cf1f4bbbf0d030599d1e4c175ee
ManifestType: "singleton"
ManifestVersion: "1.0.0"

Answer 1

from this pull request, which was merged succesfully, you can see that SignatureSha256 is not required with exes. Furthermore, as @Robert pointed out in a comment to my question, In the JSON schema file the comment sounds more like it is optional: SignatureSha256 is recommended for appx or msix.

Here is relevant code in that pull request:

PackageIdentifier: WeMod.WeMod
PackageVersion: 7.1.3
Installers:
- Architecture: x86
  InstallerType: exe
  InstallerUrl: https://storage-cdn.wemod.com/app/releases/stable/WeMod-7.1.3.exe
  InstallerSha256: 64df92f972e8e055ca816f91f9f3cba20bcac2febda818b38da7d24af64e67a0
  InstallerSwitches:
    Silent: /s
    SilentWithProgress: /s
ManifestType: installer
ManifestVersion: 1.0.0