Comment by PunchyHamster

Actually, Windows by default will not trust code signed by CAs that issue certificates to websites. It will only trust code signed by CAs that are approved for code-signing, which isn't a very large set anymore. Moreover, recent CA/Browser Forum policies forbid dual-use CAs anyway. If Let's Encrypt issues you a certificate for a web site, it cannot be used for code signing.

It's possible that they could start issuing separate certificates upon specific request for code signing purposes, but it's doubtful they would be willing to meet Microsoft's requirements for such certificates, so their code-signing CA would not be added to Windows's trust store, rendering the certificates it issues useless.

The ACME protocol, the key automation technology that makes Let's Encrypt possible, performs domain validation only. It verifies that you, the person (or bot) making the request, are an authorized administrator of the DNS records, or port-80 HTTP server, for that domain. This is directly relevant to, and generally considered sufficient for, HTTPS.

However, domain validation is almost completely irrelevant to, and insufficient for, code signing. Microsoft's rules (and Apple's, incidentally) require establishing the identity of a legal person (individual, or preferably, company). There is no way the ACME protocol can do this, which means that the process is totally out of Let's Encrypt's wheelhouse.

What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.