Trigger a monit reload after unattended upgrades

I have run into an issue when combining monit with Ubuntu/Debian unattended upgrades. Monit monitors services and binaries, and flags changes, restarts processes, etc as needed. However, when a package providing a service is updated (say, nginx), a checksum check is triggered because the binary has changed, such as with this config:

check process nginx with pidfile /var/run/nginx.pid
  group www
  group nginx
  start program = "/usr/bin/systemctl start nginx.service"
  stop program = "/usr/bin/systemctl stop nginx.service"
  if 5 restarts with 5 cycles then timeout
  depend nginx_bin

check file nginx_bin with path /usr/sbin/nginx
  group nginx
  if changed checksum then alert
  include /etc/monit/templates/rootbin

Both are useful things, however, there is an unfortunate interaction with unattended upgrades: If the binary changes, and then the service stops (for some reason), it will not be restarted because monit doesn't want to reload an altered binary. This is understandable, but annoying in this context because unattended upgrades is a legitimate and expected source of updates.

Is there some way to configure a post-update hook script in unattended upgrades that I can use to trigger a monit reload in order to update the checksums, and thus prevent this issue?

A suggestion only, You can use Monit (check file) to monitor the /var/log/dpkg.log file to get information about an update and then reload the configuration if necessary.

On the other hand this will break the security test based on the checksum.

I found a clean solution to this with the help of this answer.

All I needed to do is add an apt config file in /etc/apt/apt.conf.d/99monit containing:

DPkg::Post-Invoke {"/usr/bin/monit reload";};

Now whenever packages are updated, monit is reloaded. It can be a little noisy, but it doesn't happen very often.