His suggestion involved the operating system computing the md5 digest of the executable file before running it. In this case you would not be looking to see if it matches the digest that wherever you downloaded it from provided. There is no foo.md5sum for them to replace.
This scheme is easily subverted many ways: by having the executable only being bad a few times, or much later than when the user could identify it as the source, or a collision attack against the hash function.
Also note that digital signatures are only as strong as their components. It doesn't matter that you signed it if you use md5sum in the process of signing it. An attacker just needs a binary that has the same digest as the one the signature says it does, which results in attacks that completely ignore the bits that involve the asynchronous keys.
This scheme is easily subverted many ways: by having the executable only being bad a few times, or much later than when the user could identify it as the source, or a collision attack against the hash function.
Also note that digital signatures are only as strong as their components. It doesn't matter that you signed it if you use md5sum in the process of signing it. An attacker just needs a binary that has the same digest as the one the signature says it does, which results in attacks that completely ignore the bits that involve the asynchronous keys.