I can be an authorized developer and erroneously sign a piece of software that contains some malware. Typical cases being disgruntled employers pushing vulnerabilities obfuscated in source code, and another example being the development/deployment machine being infected and infecting all generated executables prior to signing -- this way the malware is always present and always signed.
> If you can mechanically distinguish between unsigned malware and unsigned white hat software, I suspect there's a very big bag of money waiting for you somewhere.
There is no way (signatures or not) to distinguish malware from white hat software. It's an undecidable problem even to be solved by humans. The referred bag of money will stay put for a loooooooooong time.