How secure is it just to use the digital signature? Can someone spoof a digital signature?

Digital Signature is signed by the application vendor and it is nearly impossible to associate malicious content with a valid digital signature of a known application like Autodesk, Adob, etc. However, we strongly suggest securing your environment with combo rules like Signature with File Info. For more information on this topic please check this link More security with Combo Rules.

Certificates are generated by CA (Certification authority), such as Thawte, DigiCert, etc. Though it is possible and valid to generate more than one certificate with the same Subject Name, all trusted CAs are supposed to verify certificate requests and their origin and ensure that a cert request for Adobe Inc., for instance, actually came from Adobe and not John Doe., Public.

Even if CA were to issue a certificate created for Adobe Inc. to a bad actor, Microsoft would remove it from the trusted CA list.

Using Thumbprint (or Fingerprint) also gives an added benefit. It is a unique certificate identifie that is not included in the certificate but computed when needed using algorithms such as SHA1 or SHA256.

Thumbprint verifies a particular signature  dated for this year, versus an exact looking signature, but dated for another timeframe.

Finally, please check this Microsoft Doc on how most application vendors associate digital signatures with their installers or EXE files: Digital Signatures and Windows Installer.