It wasn't built on my system; it was built on github's continuous deployment infrastructure (so basically on a VM spun up by github).

Which itself is a cause for reflection: suppose I gpg sign a binary built using this workflow, I myself am not in control of the build environment, so should I sign that? Even if it seems ridiculously unlikely that github controlled VM would insert something?

Probably should have people just build themselves (which is relatively painless with Rust, at least on Linux and Mac) and not even distribute binaries - it's a command line tool after all... As for Windows, it isn't very surprising that they false positive stuff, heck, even when they don't flag malware, they make it very hard to run random binaries.