This is what caused me to totally dump nvidia. Their new cards require signed drivers to enable boosting behaviour, and they are unwilling to build and sign the nouveau driver. It's not like it's hard to set up a buildbot...

I wonder if you'd have to recertify after each pr merge

You would need to certify each signed release. Most likely, you wouldn't make a signed release for each PR, because of the time and expense involved, until you got to the point were changed were few and far between.

No, just before actually releasing it. Nobody cares about the code as long as it is not running on the devices.