It does seem like the app store transaction should be forced to use an Apple cert, not just any cert signed by a root CA. Pinning a single cert seems risky, since certificates can be compromised.