As a corollary to an issue I recently created, JENKINS-38796, I'm wondering if there may be some overlap between this issue and mine.
More precisely, if there were some way an administrator could define a 'safe' location for shared libraries and scripts and allow the content of those files / folders to change without requiring further intervention then I believe the requirements for this improvement would be satisfied as well as providing a mechanism to avoid the problems I've reported on this other issue.
That being the case I'm wondering if there may be some easy way to implement this change which could be rolled into production sooner rather than later. Based on my admittedly naive understanding of the problem, could you not just add a new button to the script approval page called "approve indefinitely" which, when clicked, simply adds a new entry to the scriptApproval.xml file with the name of the script or class path and an empty value in the 'hash' property indicating that these scripts / libraries / paths are to be loaded regardless of changes that may occur within them after being approved. The verification code could then be modified to simply check to see if the 'hash' value is empty or not, and if it is simply skip comparing the checksum value and automatically approve the script's execution.