Solved. First install windows-sdk-10.0:
choco install -y windows-sdk-10.0
Then add the certificate to the Cert:/LocalMachine/My store, and use the SubjectName to retrieve the certificate from the store.
$Password = ConvertTo-SecureString -String $Env:CERT_PASSWORD -AsPlainText -Force
Import-PfxCertificate -FilePath my-cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
Start-Process -PassThru -Wait "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" -ArgumentList "sign -v -debug -sm -s My -n `"SubjectName`" -d `"Desc`" my-binary.exe"
I used a powershell script for this. Make sure to run this to be able to run unsigned powershell scripts:
powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine