Well. The short version is that I solved this by updating both MacOS and the command-line Dev-Tools. The Longer version.... I was never too confident about Googles AI telling the the certificate had expired. So I worked out how to run some checks running openssl commands. The certificate chain appeared to be good. (I have since disabled Googles AI summary - let's hear it for UBlock Origin!) So then I looked at the Mac. It was an M1 Mini running MacOS 11.3. The development tools were (I think) 12.5. No physical access to the machine - it sits in a data centre somewhere. So somewhat out of date then. The result of avoiding updates to a shared (and somewhat critical) server. So after discussion with the machines only other regular user. I started updating. The O/S update to 15.4 and the tools update to 16.3 led to various other issues. Oddly, the perl install would not load modules from CPAN, and (less oddly) the dev tools refused to build various components. I had logged something like 50-60 commits to our code base, and two open-source library updates before I finally had the machine running and notarizing builds again. The whole process took something like 12 working days. Our QA department is very happy to have it back online. My best guess as to the issue would have to be simply out of date software being used to check the certificate chains. Presumably an O/S component somewhere?