Based on a similarly quick websearch, even a non-EV code signing certificate seems to require jumping through a number of hoops:
https://www.dougv.com/2008/09/my-experience-getting-a-code-s...
If you secure your official download page via HTTPS, MITMing that connection requires getting your website cert signed by a CA. Which, while possible (see: DigiNotar) tends to be something the CAs try to avoid - lest they lose their license to print money by having their certificates revoked by browser vendors.
