Easier than that. Only the vendor's publisher account should be allowed to sign with the vendor's keys. Implement the same policy for everybody, so if one publisher uploads a package signed with the same keys as another, the original publisher should be notified.