An end-entity certificate with the Code Signing EKU.
Leaf / End-Entity Certificate: The final cert in the chain — the one actually used for signing, TLS, email, etc. Cannot issue further certificates.
This certificate is specifically authorized to sign executable software.