In a code signature, the certificates act as a chain of trust [1]. The first certificate is the leaf, the next is the one that issued the leaf, and so on until you get to a root. Ah I see, did not realize this before but it makes perfect sense, thank you. ...the next thing to check is whether this is the right type of profile. Turns out it is not a distribution profile and this was the problem all along. The error message "Missing code-signing certificate" was a red-herring this whole time. What is interesting is that it appears that it used to work even though it shouldn't have, by virtue of the fact that these app builds are present in Testflight and the profile it was using dates from before those builds. Alas am unable to confirm that for certain as CI history is too shallow and we no longer have a copy of the app bundle to verify. At some point altool has stopped returning non-zero exit codes on failure so CI has been blind to the failures for some months now (probably since Xcode 26 I'm guessing). Thanks again for your help it is invaluable. Have bookmarked these resources especially Resolving Code Signing Crashes on Launch which provides a ton of details missing from the technotes and official documentation.

This is fantastic help, many thanks Mr Eskimo. We actually met once long long ago, your wisdom is much appreciated. Now having done all of that this is what I found: the original profile has 2 certs, and the emitted binary has been signed with the second one of those. In that other thread under "Check the Signing Certificate" there is mention of "the first certificate is the one that matters" - why? Going back to the original error, it says that the profile included in the bundle is missing the code-signing certificate. Extracting and dumping the signature and dates of all 19 of those shows that the certifcate used for signing is in there, and is not expired. Seems to me the error is kind of misleading and something else must be amiss, any ideas?