I am in the process of adapting our custom (auto-)updater to work with OS X apps. (These OS X apps will be distributed outside of the Mac App Store.)
After the new bundle is downloaded, I am selectively overwriting certain files. However, it is unclear to me whether there is a situation where I should also overwrite the _CodeSignature folder in the "old" app with the newer one.
As (currently) the Gatekeeper checks a downloaded app only the first time it is run, the above becomes a non-issue (again: for the time being).