I just don't get: so many times, digitally signing/"certifying" applications is presented as the solution to application security issues. But what does digitally signing applications have to do with application security? Nothing, it seems to me, as it only proves that the application was signed by a certain entity. It makes absolutely no point about any security implemented in the application. Digitally signing an application doesn't mean auditing it. It would be way to much work to code-audit every single application that is about to be signed and published, and still wouldn't actually prove security. So what is the point of digitally signing applications, except for triggering a false sense of security in the lay-user? Or am I just too stupid to get the whole concept?