XCode Cloud Developer ID Can't Codesign DMG File

Question

I am using Xcode Cloud to build my Mac Catalyst app for Developer ID Distribution as a DMG package that must be codesigned and notarized. I have a ci_post_xcodebuild.sh script that runs after the Archive action.

This needs to perform the following tasks:

1. Produce a DMG from the provided exported archive located at CI_DEVELOPER_ID_SIGNED_APP_PATH
2. Codesign that DMG using the same certificate identity that Xcode Cloud used when automatic code signing the exported archive using cloud signing.
3. Notarize that code signed dmg with the notary service
4. Generate a Sparkle appcast.xml file
5. Upload the DMG and appcast.xml file to s3

The issue I am having is that I do not have access to the cloud signing keychain identity that Xcode Cloud uses to automatically codesign the exported archive.

I check for identities and none are found. Running:

security find-identity -v -p codesigning
There are no code signing identities available. Make sure you have a "Developer ID (Application)" certificate (with the private key) installed on your Mac with Keychain Access.

How can I access the cloud signing identity in this script so I can sign my DMG file before notarizing it?

I am currently experimenting with installing my own certificate in the build server keychain and run my own archive + export commands after the Build action completes. This is not ideal.

Thanks,

Andrew

https://developer.apple.com/forums/thread/762197