I assume anyone can with some effort add their certificate under name X to their database, in that case, is there anything stopping a fake publisher from adding themselves with the name of a legit publisher and the signature saying it's from legit X?