Not necessarily. For issues like the one discussed in this thread, a simple ssh-style "trust initially" would have sufficed, and would have prevented the malicious installer from running.
Note that I'm not proposing this as a replacement for the current cert system (which you pay into), but as a replacement for unsigned executables.