A little late to the party, but I can definitively answer this. When a .pkpass bundle is signed, the signature contains the signing date. As long as the date is within the validity of the certificate used to sign it, then the pass will continue to function and can be deleted and re-installed. If a certificate expires, you are unable to sign a new .pkpass bundle, which means that you cannot create any new passes or update old passes. But your legacy passes will continue to function. Passes signed with a new certificate with the same PassTypeIdentifier will overwrite the old passes - meaning that updates signed with the new certificate will work seamlessly.