"You are correct, private roots do not have to be under 398 days, but they do have to be under 825 days." I think this is means to say "private SSL certificates" (in many self-signed scenarios the SSL certificate IS the root, but it doesn't need to be this way and the roots can be as long as you like as long as you use a proper chain, e.g. https://stackoverflow.com/questions/44550970).

@eskimo thanks for the reply. After reading your response, I created a test profile (non-Admin) on Macbook Pro M1 Ventura 13.4.1 and the issue is not reproducible, so testing with a trivial installer is not (yet) possible because I do not have a baseline for reproducing. The original issue was reported on an i7, but they've since upgraded to 13.4.1 as a troubleshooting step. Are you aware of any older "known" issues that may have perpetuated through the upgrade?

How then do you recommend distributing an application built with Python, Java or a framework language which requires parameters passed to the executable? If the answer is to use Swift or Objective-C to create a launcher, this is a smelly solution. The scripted solution has worked great for a long time. This question is about fixing the cache when oah has incorrectly flagged an application as the wrong architecture. Dismissing a known working technique is very disheartening.