There's another possibility: Maybe opera has an internal service that accepts software uploads and automatically signs them. That way an attacker might have spread malware without having stolen the certificate.