also what you're pointing at should change at every revision, so it's probably less overhead to just maintain a list of what you care about and the certs you expect the code to be signed with at those paths

By revision, you mean when a plist is modified?

no, I mean when the 'vendor' updates the software as that would change the target's hash