Only signal is that whoever is in the subject DN (highly) probably signed the code. There's 0 signal about trustworthiness of the code in the signature. Thrustworthiness signal is in the behavior/reputation of the signer.

Pretty sure there were historically a lot of apps that stole peoples contact lists and were signed properly. Certainly in the Android world.