See http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/digital-signature-abuse.aspx (and the link there to the .pdf document) on how malware can be digitally signed. Research, News, and Perspectives mentions how certs can be stolen to be used by malware.
Digital signatures were a past means of identifying the source for program code and to thwart malware but malware authors haven’t been stagnant and would obviously attack this seal of assurance to get victims to install their crap. Using a digitally signed malware app is one means of socially engineering users into accepting the malware (just as it is a means to assure users that the software is goodware).
In the past, digital signatures were considered sacrosanct in that they would identify the identity of whomever was the author of some software. Alas, way too many free and trial certificate issuers don’t validate the identity and are just interested in generating revenue. Anyone, including malware authors, can buy a cert. What is more omnimous is that certs for known good vendors can be usurped by malware.
So it seems that all unknown software should be considered suspect, including digitally signed software even if the cert appears to be for a known good vendor. Because of this increasing abuse by malware authors, it seems that no one should get listing under My Trusted Software Vendors. It’s all suspect until proven okay on your computer but not because it was signed because it could be signed malware or even malware signed with someone else’s cert.
It seems we users can no longer trust digitally signed installers or their deposited apps. Does Comodo’s whitelist involve just the hash sigs of goodware or does it also include certs for supposedly known good authors?