> We might have a viable developer certification trust system by now

Don't we already have that system, in the form of distributions? More specifically, I'm thinking of something like Ubuntu's PPA system, where each developer publishes their packages with their own signing key.