diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index b2258fa..a60fe4f 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -96,16 +96,28 @@ jobs:
           # xcodebuild's signing lookup consults the DEFAULT keychain — being on the
           # search list alone isn't enough (find-identity sees the cert, export doesn't).
           security default-keychain -d user -s "$KEYCHAIN"
-          # Apple's intermediates — without the issuing CA in the chain the identity is
-          # "invalid" and xcodebuild reports "No signing certificate ... found" even
-          # though the cert imported fine (fresh boxes don't ship all WWDR/Developer ID
-          # intermediates).
+          # Apple's intermediates — without the issuing CA in the chain the leaf is "invalid"
+          # and dropped from find-identity -v (cert imports fine, just isn't a *valid*
+          # identity). Fresh boxes don't ship all WWDR/Developer ID intermediates. RETRY: a
+          # single transient miss here is exactly what silently broke iOS — Apple Distribution
+          # chains through WWDR G3, while Developer ID (-> DeveloperIDG2CA) kept working.
           for ca in DeveloperIDG2CA AppleWWDRCAG3 AppleWWDRCAG4; do
-            curl -sf "https://www.apple.com/certificateauthority/$ca.cer" \
-              -o "$RUNNER_TEMP/$ca.cer" \
-              && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null \
-              || echo "::warning::could not stage intermediate $ca"
+            for attempt in 1 2 3; do
+              curl -fsS "https://www.apple.com/certificateauthority/$ca.cer" \
+                -o "$RUNNER_TEMP/$ca.cer" \
+                && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 \
+                && break
+              [ "$attempt" = 3 ] && echo "::warning::could not stage intermediate $ca after 3 tries"
+              sleep 2
+            done
           done
+          # Chain-vs-clock diagnostic: is the WWDR intermediate (Apple Distribution's issuer)
+          # actually present, and is the runner's clock past the cert's notBefore?
+          echo "runner date (UTC): $(date -u)"
+          security find-certificate -c "Apple Worldwide Developer Relations Certification Authority" \
+            "$KEYCHAIN" >/dev/null 2>&1 \
+            && echo "WWDR intermediate (Apple Distribution issuer): present in keychain" \
+            || echo "::warning::WWDR intermediate MISSING — Apple Distribution leaf will be invalid"
           printf '%s' "$P12_B64" | base64 -d > "$RUNNER_TEMP/devid.p12"
           security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
             -T /usr/bin/codesign -T /usr/bin/security