Here's the commands I used to do this manually. To validate on the client, you need to take the CARoot.cer and install into the trusted root store.

REM generate the certs, run once only.
makecert -n "CN=CARoot,O=My Org,OU=Dev" -r -pe -a sha512 -len 4096 -sv CARoot.pvk -h 0 -eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" CARoot.cer
pvk2pfx -pvk CARoot.pvk -spc CARoot.cer -pfx CARoot.pfx -po P@ssw0rd

---

REM batch file for building and signing a chrome package.
setlocal
set PATH=%PATH%;C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64

call autoninja -C out\goma64 mini_installer

signtool sign /tr http://timestamp.digicert.com /td sha512 /fd sha512 /f CARoot.pfx /p P@ssw0rd out\goma64\chrome.exe
signtool sign /tr http://timestamp.digicert.com /td sha512 /fd sha512 /f CARoot.pfx /p P@ssw0rd out\goma64\chrome_child.dll
signtool sign /tr http://timestamp.digicert.com /td sha512 /fd sha512 /f CARoot.pfx /p P@ssw0rd out\goma64\chrome_watcher.dll
signtool sign /tr http://timestamp.digicert.com /td sha512 /fd sha512 /f CARoot.pfx /p P@ssw0rd out\goma64\chrome_elf.dll
signtool sign /tr http://timestamp.digicert.com /td sha512 /fd sha512 /f CARoot.pfx /p P@ssw0rd out\goma64\chrome.dll

call autoninja -C out\goma64 mini_installer

signtool sign /tr http://timestamp.digicert.com /td sha512 /fd sha512 /f CARoot.pfx /p P@ssw0rd out\goma64\mini_installer.exe

fyi, if you want the commands. I'm using them for local testing.