[saltamimi]

I'm confused why they can't just generate their own signing key and deploy it alongside the installer.

Using arbiter platforms like this sounds like a great way to footgun yourself.

[Someone1234]

Because a bad guy can also generate their own signing key and deploy it alongside the installer.

See Notepad++ for how that winds up.

[saltamimi]

Then you can publish the public Code Signing certificate for download/import or publish it through WinGet.

Using Azure Trusted Signing or any other certificate vendor does not guarantee that a binary is 100% trustworthy, it just means someone put their name on it.