Signing has nothing to do with trust, but establishes that the code hasn't been modified since the signer signed it. That's potentially useful.
Trust has nothing to do with signing or inspecting the actual applet or the intentions of the software. It only means the signer paid a certificate authority who is trusted. The CAs have no responsibility to certify anything except some fig leaf level of identity check. There's no way to walk the signer identity back to somebody you want to arrest unless they were honest and not evasive when they purchased their certificate. There's no way to prove that a certificate that was used to sign malware was actually used by the person who purchased it. It's a nearly vacuous concept of trustworthiness.
I don't believe that Oracle is planning to make money from the certificate process. It's all about covering their asses, which I can understand without liking it. It's long been my contention that some morning, every windows machine connected to the internet will be bulk-erased, and every one of the victims will sue Microsoft. If I were Oracle, I'd be worried about that prospect too.