I’ve recently added the code signing identities for a client to my dev Mac. Some old code signing scripts then failed to run:

🛑 Apple Development: ambiguous (matches “Apple Development: Christian Tietze (xxxxxxxxxx)” and “Apple Development: Christian Tietze (xxxxxxxxxx)” in /Users/myuser/Library/Keychains/login.keychain-db)

Never encountered that before, to be frank.

Turned out that the script was using the $CODE_SIGN_IDENTITY environment variable, which is just the string “Apple Development”. ⌘F looking through the other environment variables at my disposal, I found $EXPANDED_CODE_SIGN_IDENTITY, which is a hash, and $EXPANDED_CODE_SIGN_IDENTITY_NAME, which is the expanded form that the error message quoted above uses.

I tried both, and both work. The codesign man pages say as much: either provide a partial matching string, which only works if there’s just one match, or a complete form, or 4 characters of a hash. The $EXPANDED_CODE_SIGN_IDENTITY is more than 4 characters long, but that’s looking like the hash.

The failing script must be pretty ancient, because all my notes with copypasta inside that involve code signing use $EXPANDED_CODE_SIGN_IDENTITY already.