Because a bad guy can also generate their own signing key and deploy it alongside the installer.
See Notepad++ for how that winds up.
Because a bad guy can also generate their own signing key and deploy it alongside the installer.
See Notepad++ for how that winds up.
Then you can publish the public Code Signing certificate for download/import or publish it through WinGet.
Using Azure Trusted Signing or any other certificate vendor does not guarantee that a binary is 100% trustworthy, it just means someone put their name on it.