codesign still tries to access other keychains when adding --keychain parameter

we have a automated codesigning setup on our CI/CD infrastructure which is using the codesing command to resign a iOS application with a certificate located in a specific keychain. The codesign script works in general but I detected an unexpected behavior. Even though I tell the codesign command with '--keychain' the keychain it should use, it still tries to access the keychains from the keychain search list. If I add all keychains to the searchlist it will lock the execution on a certain call because it tries to access a password protected keychain which is in the search list. If I remove all keychains from the search list (except the login and the system keychain), codesign won't find the proper signing identity even when pointing to the proper keychain with the --keychain argument.

the codesign command is called as follows:

codesign --sign <signidentity> ---keychain <path/to/my.keychain> --force

This one happens on macOS 10.14.4 and 10.13.6. I also tried different xcode versions like 9.2.1, 9.4.x and 10.1.

I'm a little bit at the end of my ideas of how to solve this issue. It feels that the --keychain argument is bugged or doesn't do what I think it should do.

We have the same problem. For now, we have to add the keychain we want to the search list as the only keychain. Then restore all keychains after codesign.