When replacing an expired Enterprise Distribution certificate, do I have to resign the whole App?
Solution 1:
No - spoofing the key signature would be equivalent to bypassing the chain of trust entirely. You'd probably be able to sell that exploit to bad actors and governments for a lot of money.
You will need to re-sign the apps and likely increment the version numbers on them before pushing them out since Apple doesn't re-sign things for you dynamically as they do with App store downloads.