SignPath: Verify Your Software Supply Chain and Go Beyond Code Signing.
Code signing was designed to give recipients confidence that software came from a trusted source and hasn't been tampered with. But a signature only proves that the signing key was used. It does not prove that the build process was clean.