You also have to look at the other side, i.e. the distribution. It has to setup infrastructure to verify and sign every binary that passes. And who says that distributions have proper security mechanisms preventing the keys from being stolen/abused? Even kernel.org got hacked. Why not some random server from Ubuntu?
RedHat, Novel oder Canonical can easy setup an Infrastructure for there Distributions.
Originally Posted by Rexilion
As for configuration, you can assert that for every defense mechanism.
But its much much easer to Sign an program as to write an complete and secure selinux policy for each (!) program.
That sounds like it's against the GPL, at least as long as user-space binaries are concerned. You can modify and recompile, but you cannot run. Someone who provided you with a signed user-space binary should have provided you with a key to sign it as well, i.e. ability to modify it and redistribute modifications.
I think it should not matter whether you can turn that feature in kernel off or not, because kernel is licensed separately and is not considered a part of the program. As far as I understand GPL, keys should be included in source code, according to this definition:
"The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities."