diff --git a/ios/.env.example b/ios/.env.example
index dc1e3a7..2e3113f 100644
--- a/ios/.env.example
+++ b/ios/.env.example
@@ -6,6 +6,7 @@ SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
+SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
 
diff --git a/ios/fastlane/CI.md b/ios/fastlane/CI.md
index cd584b3..5589276 100644
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -42,6 +42,11 @@ certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.
 
+Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
+exact certificate common name used when exporting a local p12 for secrets, while
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
+selector that Xcode uses during archive/export.
+
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The
diff --git a/ios/fastlane/Fastfile b/ios/fastlane/Fastfile
index 27e5187..62e2797 100644
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -20,6 +20,7 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -77,7 +78,7 @@ def release_version
 end
 
 def xcode_build_setting(key, value)
-  "#{key}=#{value.to_s.shellescape}"
+  "#{key.to_s.shellescape}=#{value.to_s.shellescape}"
 end
 
 def env_line(key, value)
@@ -410,7 +411,7 @@ platform :ios do
       xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
       xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
       xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
-      xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME)
+      xcode_build_setting("CODE_SIGN_IDENTITY", XCODE_CODE_SIGN_IDENTITY)
     ]
     if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
       xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
@@ -433,7 +434,7 @@ platform :ios do
         provisioningProfiles: {
           APP_IDENTIFIER => PROFILE_SPECIFIER
         },
-        signingCertificate: SIGNING_CERTIFICATE_NAME,
+        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
         teamID: TEAM_ID,
         manageAppVersionAndBuildNumber: false,
         uploadSymbols: true,