In Inno Setup you can use use signonce flag to prevent the compiler from signing the same file multiple times.
What if the certificate of the signed file is out of date and the new one is valid? Would it override and sign to bring it into being up to date?
It looks like the signonce checks for a mere presence of the signature. It does not validate it anyhow. So I believe that a file with an expired certificate (or really invalid certificate in any other way) won't be re-signed.
References:
Though note that expired certificate is not a problem. It's expected that a certificate used to sign a binary expires eventually.