M4 Mac Mini: Xcode generates private keys with wrong label - codesigning impossible
Background This is a follow up to my November 2024 thread "Keychain issues after installing backup on new Mac" which was closed because I had a temporary workaround. That workaround using my wife's MacBook Air for signing is not sustainable. I used AI assistance to determine the root cause. My DTS case 102877839447 is open but has not yet been forwarded to a DTS engineer.
Environment
- Mac Mini M4, macOS 15.4.1 (Build 25E253)
- Xcode 26.4.1 (17E202)
- Team ID: Q23726668V (Computerade Products)
- Working comparison machine: MacBook Air, macOS 15.3
Precise Bug — Reproducible Every Time Every time Xcode generates a new certificate and key pair on my Mac Mini: Certificate: Apple Development: Michael Birch (9KD5TCGGHG) ✅ Private key: Apple Development: Michael Birch (Computerade Products) ❌ The key uses the organization name instead of the certificate identifier. They never pair as a valid codesigning identity. security find-identity -v -p codesigning always returns 0 valid identities.
Cryptographic Evidence The internal application labels confirm the keys are cryptographically unrelated to their certificates:
- Key internal application label: 53C26EB056997276B5E938258D00665ACABD1F0F
- Certificate public key hash: 57cd1af4a9162f26b1a6d750e05a63a2166b75ff
These do not match ❌
Confirmed Eliminated As Causes
- Keychain search list corruption — found and fixed
- Partition list — set correctly
- Access control — set to allow all applications
- Full Disk Access — granted to Xcode
- Xcode caches and preferences — completely cleared
- Login keychain — completely reset
- Orphaned certificates and keys — all removed
- SIP enabled, system fully up to date
Valid P12 Import Also Fails A p12 exported from the working MacBook Air and cryptographically verified as a matched pair also fails on the Mac Mini:
- security import returns MAC verification failed
- Keychain Access import returns OSStatus -2
- Importing certificate and key separately as PEM files succeeds but they are not recognized as a valid identity pair despite matching application labels A3F3F193B7896DA9055353F59AB450778CB09AE7
Question Is there a known issue with M4 Mac Mini keychain infrastructure where private keys are generated with incorrect internal application labels? Is there a lower level diagnostic or fix beyond what the security command provides?
The problem is specific to my Mac Mini M4 and persisted thru more than a year of Mac OS and xCode updates.