The NGWS security system allows an administrator to set security policy based on Authenticode signatures. The Authenticode signatures are carried in the assembly - specifically in the file containing the assembly's manifest.
As described above, the NGWS runtime allows assemblies to be packaged in CAB files for download purposes. Although the Authenticode signing tools allow CAB files to be signed, the signature on a CAB file cannot be used to make policy decisions in NGWS, i.e the NGWS runtime does not "apply" the signature on the CAB to each assembly in the CAB while evaluating policy. The Authenticode signatures must be on the assemblies themselves.