The second option is better because then signing the julia.exe is propagated to the shipped tarballs and zip files. Even if we go with option 2, we probably still want to merge https://github.com/JuliaLang/julia/pull/40512/, because it makes the signing of the exe independent of whether the buildbot has already signed the executable or not.
In the PR https://github.com/JuliaLang/julia/pull/40512/ I tweaked the installer in order for innosetup (which creates the julia installer) to sign the julia executable.
Alternatively, we could reinstate the code in an older commit: https://github.com/JuliaCI/julia-buildbot/blob/80b61a9325a5b76cb757dbbb0e75f2b2d13b445c/master/package.py#L133 which uniformly signs the julia.exe regardless of whether it's packaged by the installer or not.
The second option is better because then signing the julia.exe is propagated to the shipped tarballs and zip files. Even if we go with option 2, we probably still want to merge https://github.com/JuliaLang/julia/pull/40512/, because it makes the signing of the exe independent of whether the buildbot has already signed the executable or not.