Comment by strogonoff

Does it ensure the executable you downloaded and granted access to is still the same and was not modified afterwards?

Another reason is that if a cert (or a cert in the chain) is known to be compromised it can be revoked—would the mechanism used on Linux give some equivalent of that, or one has to be rely on bug trackers or apply updates to ensure trusted signatures are up-to-date?