Disambiguate Code Signing Identities

Iā€™ve recently added the code signing identities for a client to my dev Mac. Some old code signing scripts then failed to run:

šŸ›‘ Apple Development: ambiguous (matches ā€œApple Development: Christian Tietze (xxxxxxxxxx)ā€ and ā€œApple Development: Christian Tietze (xxxxxxxxxx)ā€ in /Users/myuser/Library/Keychains/login.keychain-db)

Never encountered that before, to be frank.

Turned out that the script was using the $CODE_SIGN_IDENTITY environment variable, which is just the string ā€œApple Developmentā€. āŒ˜F looking through the other environment variables at my disposal, I found $EXPANDED_CODE_SIGN_IDENTITY, which is a hash, and $EXPANDED_CODE_SIGN_IDENTITY_NAME, which is the expanded form that the error message quoted above uses.

I tried both, and both work. The codesign man pages say as much: either provide a partial matching string, which only works if thereā€™s just one match, or a complete form, or 4 characters of a hash. The $EXPANDED_CODE_SIGN_IDENTITY is more than 4 characters long, but thatā€™s looking like the hash.

The failing script must be pretty ancient, because all my notes with copypasta inside that involve code signing use $EXPANDED_CODE_SIGN_IDENTITY already.