They're only precious if you know what you're doing. At one point, possible all points on a line, I didn't and don't. I have finally figured out how to install the certificate (call it A) that was in my account at developer.apple.com. But before I found the cheap route, I created a certificate (call it B) that I fear I won't be able to use in 3 years when A expires. I will have forgotten everything and go through this whole mess again. So, I never intend to use B and would prefer to not be tempted to even try it.

Looks like I have to jump through some hoops to store the password a different way and then add the --keychain-profile AC_PASSWORD option on the command line. Not at all happy as this provides me with no apparent benefit. Just lots of change. Thanks for nothin.

Here is a link to the migration doc I cited: TN3147: Migrating to the latest notarization tool | Apple Developer Documentation?changes=_3_3

And I should mention that I'm using an app-specific password and that I've been using altool this way for years.

I should mention the fact that I can display the password in the keychain if I execute this: security find-generic-password -w -s 'AC_PASSWORD' -a "$notarizeUser"