diff --git a/.gitea/workflows/testflight-release.yml b/.gitea/workflows/testflight-release.yml
index 0a75034..cad5664 100644
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -90,14 +90,16 @@ jobs:
           fi
           developer_dir="$(xcode-select -p)"
           signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
-          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
+          mkdir -p "${HOME}/Library/Keychains"
+          keychain_dir="$(cd "${HOME}/Library/Keychains" && pwd -P)"
+          keychain_path="${keychain_dir}/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
           certificate_path="${signing_dir}/appstore-signing.p12"
           wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
           profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
           profile_plist="${signing_dir}/profile.plist"
           old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
           xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
-          mkdir -p "${HOME}/Library/Keychains" "${old_profile_dir}" "${xcode_profile_dir}"
+          mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
 
           printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
           printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
diff --git a/ios/fastlane/CI.md b/ios/fastlane/CI.md
index 4ea4015..da45cb2 100644
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -54,7 +54,9 @@ The Release signing settings are also present in `Apps/Sybil/project.yml` so
 XcodeGen emits a manually signed App Store archive configuration. CI passes the
 installed provisioning profile UUID to Fastlane as
 `SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
-project before archiving.
+project before archiving. CI also passes the temporary keychain path as
+`CODE_SIGN_KEYCHAIN` so Xcode searches the disposable keychain for the imported
+Distribution identity.
 
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
diff --git a/ios/fastlane/Fastfile b/ios/fastlane/Fastfile
index 931b3e7..d5a60cc 100644
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -71,6 +71,7 @@ def apply_release_signing_settings
     settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
     settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
     settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_KEYCHAIN"] = ENV["SYBIL_SIGNING_KEYCHAIN_PATH"] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
     if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
       settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
       settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
@@ -435,6 +436,7 @@ platform :ios do
       xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
     ]
     if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
+      xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
       xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
     end
     xcode_args = xcode_args.join(" ")