No, I won't really take part in this flameparty re code signing (since most of it misses the target anyway), but I just thought I'd mention my own limited experience with trojans and spyware: the only times I've encountered trojans or spyware in the real world (that is, outside my geek universe), they have all been delivered as signed executables. Generally, up pops a window telling me that the code is signed, and who has signed it, followed by an arbitrary string provided by the signee that usually says something like install this cool software now to utilize all the really hot functions on this web site.
So, away went the credibility of code signing?
I do recognize the need for code authenticity, of course. It's just that when told so, grandma will always click "Yes", "Install" or whatever seems the most productive option at the time. "No" and "cancel" are actually scarier - even if they are the default. And by the way - what kind of notion of a "default choice" does the average home user have anyway? Do they really distinct between the default and non-default button in a dialog like this? I recall the good old days when I was young and had enough time to skip studies and instead spend it on compiling my Linux kernel, and when running make config, the last line of every configuration description was something like If unsure, select 'N' or 'N' should be a safe bet. I actually followed that advice when I really was unsure. Internet Explorer, in this example, never give such a straight-forward direction - instead, it tries to explain the domains of code signing and "trusted publishers". Ol' granma will think "of course I trust this publisher! my grandson told me to click on this link!" even if the link her grandson told her to click on was twenty clicks away.
Also, if IE actually had made it clear to its users that they really shouldn't run unsigned code, a lot less people would have tried Firefox (and the poster is right that there is a point in signing the Firefox installable anyway). And that would have been a bad thing. I don't have a good solution for this whole thing, in general. Many people believe in Trusted Computing and it really gives me the shivers. But something has to be done, I guess.