I went with the jacking-the-api approach, it was the easiest with just a few lines of code (two of which were VirtualProtect).

It's worth noting that there is another approach which, while slightly more complicated, would allow for nearly async execution of installer.

Apparently, all one has to do is update PrivateHash after setting the Driver Signing Policy. There is even Easy-To-Trace How-To code right in SetupAPI.dll (and there's only one function that even deals with that registry entry, so I won't list it by name).

I can only imagine a future version of Windows will be more secure, but for now, there's no excuse to enduring the WHQL signing warning any longer.