I work for a small company that signs its code - pretty much required if you want to install in any enterprise these days.
Its a certificate chain - we purchase a cert from a provider such as Verisign. They request basic proof of identity - business registration, contact number etc. They create a cert for us signed by them. Their cert is signed by Microsoft.
We sign our app with our cert - anyone accessing the binary signed by us can verify it hasn't been alterated and our cert was signed by Verisign, which was signed by Microsoft.
Note that all this provides is proof that the exe was created by us. It in no way guareentees that we aren't distributing our own malware etc. But what it does provide is a way of tracing a exe back to the signer.