They are likely using a plain-old SSL Cert signed by a plain-old public CA, which is how your computer would know if the executable appears to come from Apple or not.
First of all, code signing certificates are not "plain-old SSL certs". They're for code signing, not SSL.
Second, Apple includes their own root certificates in their own operating systems just like everybody else. I've personally implemented a code signing mechanism for a platform that had no root certificates except for those I personally generated (and still control).
The public CA system is just irrelevant here. It has nothing to do with anything.
They are likely using a plain-old SSL Cert signed by a plain-old public CA, which is how your computer would know if the executable appears to come from Apple or not.