You can sign your own code, and declare yourself trusted to yourself.
Hopefully malicious code publishers will not be declared trusted for the general public by the certification authorities.
And, if they turn out to be malicious later on, the trust can hopefully be revoked.