When signing an application and not using a Developer ID certificate, what is the proper way to have stable designated requirements so that you don't get keychain prompts after renewing a certificate?
When using a non-Developer ID code signing certificate, codesign will use default designated requirements of 'identifier = "bundle-id" and certificate leaf = H"SHA1 hash of cert"'. Since the SHA1 hash will change on certificate renewal, the DR will be different. I think this is what's leading to these prompts. Is this correct? What's the best way to prevent this?