Code signing key compromise has happened at least for Red Hat and Adobe quite publicly. Plenty of malware use code signed windows device drivers with stolen(?) hw manufacturer keys, too.