Apple shouldn't be the one doing the signing for every user or giving out any private keys of theirs. What should happen is that they should be forced to design their devices in such a way as to allow an authorized user to change the public key used for signature verification.
All this is a disgression however. The point is that the law should simply mandate that manufacturers design their devices in a way in which what the OEM can do to an already-sold device in terms of code execution/control also be possible for the new owner to do.
All this is a disgression however. The point is that the law should simply mandate that manufacturers design their devices in a way in which what the OEM can do to an already-sold device in terms of code execution/control also be possible for the new owner to do.