codesign: “Argument list too long”

问题

In the past, I had to codesign a .dmg file.

The old certificate has since expired, and I have a new one to sign with. No problem, right? Do what I did last time? Yes. I exported the new certificate chain and private key as a .pfx file, in windows. It would seem I can import that directly into the OS X keychain tool, without converting to .p12 first. So I did.

When it comes time to actually codesign, first try says it can't determine which certificate to use. So I put the old certificate chain and private key into one keychain (2011), and the new ones in another (2012), and try again:

so...

codesign -s "Identifier Name" --keychain 2012.keychain --verbose --dryrun somefile.dmg

Returns...

somefile.dmg: signed []

BUT!

codesign -s "Identifier Name" --keychain 2012.keychain --verbose somefile.dmg

Returns...

somefile.dmg: Argument list too long

And just to be sure...

codesign -d --verbose somefile.dmg

Reveals...

somefile.dmg: code object is not signed

And for kicks and giggles,

codesign -s "Identifier Name" --keychain 2011.keychain --verbose somefile.dmg

Reveals...

somefile.dmg: signed generic [somefile.dmg]

tl;dr I can still sign things ok with my expired certificate, but when I try to do so with the new one, it works on a dryrun, but when I try to sign for real, the command returns "argument list too long".

I've been trying to figure this out for about two weeks now I kid you not, and as far I can find from searching, there is nothing to be found on this mysterious error message.

Any ideas as to what is going on, or what more I can do?

Thanks,

-Lunpa