Not being prompted when removing a root CA

We have our own root CA that is installed with our application. For non-MDM installs, the system asks if the user wants to do that, which is all well and good.

It also used to ask us when removing that certificate. It doesn't now. So now I am wondering if I dreamed it, except other people say they also got prompted and don't now.

It's being installed and removed using the security command, in scripts.

And now, during automated tests, we're apparently not getting prompted to install a new root CA. Sometimes.

This is being done via Installer/installer, and a post-install script that uses the security command to install the root CA as trusted.

We're installing using /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${APP_SUPPORT_PATH}/root.crt and /usr/bin/security remove-trusted-cert -d ${APP_SUPPORT_PATH}/root.crt to remove it.

Not being prompted when removing a root CA
 
 
Q