hi tru!
sure, it is possible, but technically, using strong encryption, i think one would need a decade (using at least a cray) to reproduce the private key from the public key. and if the user wants to update limewire, we should assume that he trusts limewire.com. therefore, this mechanism should be pretty safe, it very much resembles the security concept for signed java applets.

however, there will always be the chance that users download viral versions using standard gnutella or web search, there is nothing you can do about that...

as for the DLDER trojan: (Quotation from Symantec AntiVirus Center)

>> This Trojan is known to be installed (as part of the normal
>> installation) by two "freeware" file-sharing programs:

>> Grokster, which is a file sharing system.
>> Limeware, which is the LimeWire Gnutella Client.

>> During the installation process of these programs, you are
>> asked if you want to install the (spyware)
>> program "Clicktilluwin." Regardless of whether you click Yes or
>> No, the Trojan code is installed.

this behaviour can hardly be called legal. it is nothing but a viral invasion of your system supported by deception of an installer. if limewire was not aware of this, they should consider legal reactions regarding the clicktilluwin developers.