Sure, it's certainly possible.

Though, I prefer to give people benefit of doubt for this type of thing. IMO, the level of incompetence to parse a binary file before checking the signature is significantly higher (or at least different) than simply pushing out a bad update (even if the latter produces a much more spectacular result).

Besides, we don't need to speculate. We have the driver. We have the signature files [1]. Because of the publicity, I bet thousands of people are throwing it into Binary RE tools right now, and if they are doing something as stupid as parsing a binary file before checking it's signature (or not checking a signature at all), I'm sure we will hear about it.

We can't see how it was signed because that's happening on Cloudstrike's infrastructure, but checking the signature verification code is trivial.

[1] Both in this zip file: https://drive.google.com/file/d/1OVIWLDMN9xzYv8L391V1ob2ghp8...

Kind of a side talent, but I’m currently (begrudgingly) working on a project with a Fortune 20 company that involves a complicated mess of PKI management, custom (read: non-standard) certificates, a variety of management/logging/debugging keys, and (critically) code signing. It’s taken me months of pulling teeth just to get details about the hierarchy and how the PKI is supposed to work from my own coworkers in a different department (who are in charge of the project), let alone from the client. I still have absolutely 0 idea how they perform code signing, how it’s validated, or how I can test that the non-standard certificates can validate this black-hole-box code signing process. So yeah, companies really don’t like sharing details about code signing.