Well I’m a relative newbie to the Windows signing space, but I’ll put in my two cents based upon my experience over the last couple of months.
So you’re talking about using Parallels but not sharing the desktop. Do you mean you want to run the Parallels VM headless (e.g. running in the background with no window/display)?
Assuming this is what you mean, then you’ll need some way of invoking some kind of an event to said machine. Maybe a web app running on this machine that you can start the process or maybe something such as, if this file shows up in the shared folder, then kick off the build process.
This all implies, signtool.exe running in Parallels as there’s no way to run this directly on the Mac.
Additionally, if you have one of the older signing certs, then I believe you can sign directly on the Mac until it expires. @Tim_Parnell built ExeWrapper to handle this, but I believe it’s EOL’d as all newer certs have moved over to hardware key signing (e.g. fancy USB stick). If you still have an older cert that is in file form, then reach out to Tim and he might be able to help.
Otherwise, for any of the new signing certs, this requires the hardware key and entering in your PIN when signing. Assuming Microsoft did their homework and is adequately handling security, I’d expect it not to be easily possible to script automatically entering in your PIN into this dialog when signfile.exe runs. Who knows, you might be able to figure something out if you’re in this space though.
Alternatively, many of the signing certificate vendors offer cloud-based signing. In my case, I’m using ssl.com and they have an optional eSigner service that runs about $20 a month. As much as I don’t like the idea of yet another subscription, if I had a team of people and needed to craft an automated solution in the space, I’d likely pick this option. Just being around the block a few times in these kinds of endeavors, one could potentially burn tons of time and brain cycles crafting a solution (e.g. think about maybe a Web app running on said Parallels VM, crafting some way of entering the PIN, etc.) when the Cloud service might be the less costly and easier solution.