The Stuxnet rootkit exploit shows why digital signatures are weak.
Not so much the signatures themselves are weak, but the process around signing with digital certificates is weak:
If an unauthorized person or piece of software gains access to the private key of the digital certificate used for signing anything, then the whole chain starting with that digital certificate is compromised.
In this case, a private key used for signing Realtek drivers was used to sign the Stuxnet rootkit drivers.
VeriSign now has revoked this particular digital certificate.
Which results into all drivers that have been signed with this revoked certificate become marked as a potential security risk.
The rootkit also revealed another security issue with the Windows Shell exploited by specially crafted .lnk files, but the risk of the digital signing process has much bigger implications.
–jeroen
via: VeriSign Revokes Certificate Used to Sign Stuxnet Malware | threatpost.