With a Chain of trust:
- The master key itself is located in a secure air gap protected by the evil Internet.
- Once in a blue moon, this key is removed from the vault and used to sign an intermediate key.
- This intermediate key is used to sign code daily.
When confirming the code on an end-user device, it asks: "Was this code correctly signed with a key that was itself signed with the passkey?" The advantage of all this is that a dangerous intermediate key can be easily revoked and a new one generated without You need to change the end user devices – all that matters to them is the root of trust, the master key.
(Small Disclaimer: I do not really know how big software houses do that, but that's how the SSL Certification Authorities work and they solve the same problem.)