> spoofed code-signed certificate
Where would the attacker get the legitimate signing key of the public-private key pair associated with a legitimate signer's certificate?
The whole public key cryptography system is vulnerable and falls apart if private keys are exploited or revealed or not protected adequately or hacked.
Public key cryptography is state of the art and is used for virtually everything – key exchange to establish an encrypted HTTPS session, public keys used to verify the authenticity of signed documents, software, etc. – everything.
There's no easy way to derive the private key of a public-private key pair from its public key. The public key is used to verify that something was signed by the corresponding private key, which is supposed to be in the hands of ONLY the entity to which the certificate was granted. Either that entity was compromised, or the certificate authority that granted the certificate (+ key pair) to that entity was compromised. Or the CA above them in a hierarchical CA registry system.