I just found out the answer, because my 1-year code signing certifcate expired a few days ago.
The ESRISignAddIn.exe utility DOES NOT timestamp the digital signature, and therefore once valid dates for the signing cert are exceeded, Add-ins will, at best, show an expired and untrusted digital signature; and worse, if the security setting for Add-ins is set to "Require Add-Ins to be digitally signed by a trusted publisher" -- the Add-In will no longer be loaded.
Frankly, this behavior will lead to a deployment nightmare. Having software fail in the field just because the original signing cert expires is not typical. And neither is having to re-sign ALL previously completed, signed and released software.
I am hoping ESRI can comment, and possibly provide a work around.
Additionally, I just noticed that one can't simply re-run the ESRISignAddIn.exe utility on an Add-In that was previously signed, to re-sign it with a new certificate -- doing that crashes the utility. It must be run on an un-signed version of the Add-In.
-Jeff