I think joshstrange has it right: the easiest way for everyone is to do it yourself and take the original developer out of the loop. There's no reason the person who writes the code and the person who handles the certified distribution need to be the same. Set up a site 'pdabbadabba's signed distribution of putty (and perhaps of whatever other open source programs you think merit such),' get the certificate yourself, offer downloads and ask users for money to cover the costs.
A fair point, and I'm actually tempted to do just that. I wonder, though: why on earth would anyone trust code that I have signed? At least the developer has (maybe) built some level of trust. But what's the benefit of signing by some random third party?
Trust is built by things like time and social proof. Whether you're the person who wrote the code doesn't really come into it. Look at how it works on Linux: most people install most software via package managers. Nobody expects the person who wrote the code to be the same as the person who has the knowledge and resources to package stuff for Debian or whatever. The Debian packagers have earned trust over time. You could do the same thing.
This is fine, but for anyone to be able to actually trust that this person's signed distribution of some piece software is actually safe then you would have to assume that the person has some way of obtaining the source code from a place that they themselves trust. If they don't write the code and have no access to any other signed version this may be difficult.
Linux packagers seem to have successfully solved this problem. I imagine it's at least in part because it makes sense for them to put in a bit more effort (e.g. email to the author to make sure they have the right version, if necessary) to save every user having to redo it.
