diff --git a/deploy/install.sh b/deploy/install.sh
index 933cbf6..77784d1 100755
--- a/deploy/install.sh
+++ b/deploy/install.sh
@@ -192,9 +192,14 @@ ensure_signing_identity() {
 
     # 2. Prefer the self-signed "Quinn Norton" identity.
     SIGNING_IDENTITY="$SIGNING_IDENTITY_FALLBACK"
-    # Count how many valid signing identities are in the dedicated keychain.
+    # Count how many signing identities are in the dedicated keychain.
+    # NOTE: we deliberately omit -v (valid-only filter). The self-signed
+    # cert is not in System trust settings — find-identity -v returns 0
+    # for it, which would loop-regenerate the cert every install and
+    # invalidate TCC grants (FDA, AppleEvents, etc.) bound to the old
+    # cert hash. Without -v we still match the cert by label and identifier.
     local identity_count
-    identity_count=$(security find-identity -p codesigning -v "$MAC_SYNC_KEYCHAIN_PATH" 2>/dev/null | grep -c "\"$SIGNING_IDENTITY\"" || true)
+    identity_count=$(security find-identity -p codesigning "$MAC_SYNC_KEYCHAIN_PATH" 2>/dev/null | grep -c "\"$SIGNING_IDENTITY\"" || true)
 
     if [[ "$identity_count" -eq 1 ]]; then
         print_success "Code-signing identity '$SIGNING_IDENTITY' already in keychain"