diff --git a/.gitea/workflows/testflight-release.yml b/.gitea/workflows/testflight-release.yml
index 60f309c..c39f022 100644
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -11,6 +11,8 @@ permissions:
 jobs:
   testflight:
     runs-on: xcode
+    env:
+      SIGNING_KEYCHAIN: sybil_signing_temp
 
     defaults:
       run:
@@ -74,7 +76,7 @@ jobs:
         with:
           p12-file-base64: ${{ secrets.APPSTORE_CERTIFICATES_FILE_BASE64 }}
           p12-password: ${{ secrets.APPSTORE_CERTIFICATES_PASSWORD }}
-          keychain: ${{ env.HOME }}/Library/Keychains/signing_temp
+          keychain: ${{ env.SIGNING_KEYCHAIN }}
 
       - name: Create fastlane environment
         working-directory: ios
@@ -186,3 +188,8 @@ jobs:
             "${api_url}/repos/${repository}/releases/${release_id}/assets?name=${asset_name}" >/dev/null
 
           echo "Published ${IPA_NAME} to ${release_name}"
+
+      - name: Clean up temporary keychain
+        if: always()
+        run: |
+          security delete-keychain "${SIGNING_KEYCHAIN}.keychain"
diff --git a/ios/fastlane/CI.md b/ios/fastlane/CI.md
index b1f2fcb..aff4a1b 100644
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -16,7 +16,8 @@ git push origin release/v1.10.0
 The release job runs on the `xcode` runner label, imports the signing p12 with
 `Apple-Actions/import-codesign-certs`, builds and uploads the app with fastlane,
 then creates or updates the matching Gitea release with the generated IPA as an
-asset.
+asset. The job deletes the temporary signing keychain in an `always()` cleanup
+step.
 
 Required repository secrets: