In practise it's much easier to just trust well-known developers by whitelisting their code-signing certificates.
You could still get owned, of course, but the benefit here is that you're excluding everything not explicitly whitelisted, including drive-by downloads, crap on portable devices or random programs downloaded off the internet that someone thinks will solve their problem of the day.
When people do not code-sign their software every software update is painful. At work, where we run https://github.com/google/santa, it frequently happens that companies with code-signed software forget to code-sign their auto-updater, or random binaries that run during installation. Most of the time the application crashes/hang during the update (because some piece weren't allowed to run), only to remind to you update the software again when you restart the application.
Personally I've managaged to avoid using it so far. But yes, you can whitelist individual binaries or even directories. The lack of code-signing doesn't prevent whitelisting, it just makes your life harder than necessary.
It's a shame so many "core" developer tools are not code-signed. It makes life hard in companies where binary whitelisting is used.