It can be crazier than that. App makers who work with important APIs often pin to specific certificates (not signers) so we have an one final absolute emergency measure to kill a version and force an upgrade when we have to.
That is what I refer to as pinned-certificate. Not often used except from some of the biggest companies like Facebook and Snapchat. See my answer on how to go around this.
