That's not a dumb idea at all, it's a clever and interesting idea, but is possibly flawed. It neatly solves the problem of trusting the source of the data, and solves the compromised certificate authority problem.
The implementation details are important. Do you end up using BitCoin addresses as trusted identities in the same way you deal with a GPG address, but without any "web of trust" or key revocation features?
By using the blockchain, you have a signed message, but how do you know who signed it? Is this really any better than using GPG to sign an application signature?
The world really needs an app authenticity system, kind of like what AV engines already have, where you can figure out if your version of an app is a rare one or something that's trusted by a crowd. Something like the SSL observatory, but for applications and updates would be really good
Maybe we should take this discussion off the forum because it's off topic?