diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0d0e2485..8ecc43c9 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -82,7 +82,7 @@ jobs:
       - name: Secrets for signing
         run: |
           echo -n "${{ secrets.APPLE_CERTS_P12 }}" | base64 --decode > ~/.apple-certs.p12
-          echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs-pass
+          echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs.pass
       - name: Secrets for notarization with rcodesign (new, wip)
         if: false
         run: |
diff --git a/scripts/ci/sign-new-macos-releases.sh b/scripts/ci/sign-new-macos-releases.sh
index cdee8ce1..e453d91c 100755
--- a/scripts/ci/sign-new-macos-releases.sh
+++ b/scripts/ci/sign-new-macos-releases.sh
@@ -30,6 +30,7 @@ echo "::group::Sign and notarize the mac binaries"
         (! test -d "$NEW_DIR") && continue
         DIST_VERSION=$(basename "$NEW_DIR")
         DIST_NAME=$(basename $(dirname "$NEW_DIR"))
+        # TODO: restore dists/kubo/build_matrix (only macos for now, for faster tests)
         DIST_MAC_ARCHS=$(gawk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
         for arch in $DIST_MAC_ARCHS; do
             # create destination dir matching .tar.gz structure
@@ -40,9 +41,10 @@ echo "::group::Sign and notarize the mac binaries"
                 ls -hl "${file}"
 
                 echo "-> Signing ${file}"
+
                 # TODO: we can use  rcodesign if we ever swithc away from macos runner
                 rcodesign sign \
-                    --p12-file ~/.apple-certs --p12-password-file ~/.apple-certs-pass \
+                    --p12-file ~/.apple-certs.p12 --p12-password-file ~/.apple-certs.pass \
                     --code-signature-flags runtime --for-notarization \
                     "${file}"