SSL certificate signing provides basically the same level of trust as a signed installer. As long as you curl over https from the domain you trust, you're good.
Actually no as that signs the communications and not the software. If the target server is compromised then you are screwed. Also for example there is no guarantee that github.com isn't serving malicious traffic from one user under a legitimate request I.e. the poisoned sharecrop problem.
EV signed software is usually done off the internet. In our case we use a physical key to sign it offline and then upload.
EV signed software is usually done off the internet. In our case we use a physical key to sign it offline and then upload.