diff --git a/tests/conftest.py b/tests/conftest.py
index ba9414e9..4f567c25 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -23,24 +23,25 @@ def self_signed_certificate_macos(tmp_path):
     signing_identity_password = "1234"
     notarization_identity = "testapplication"
     notarization_identity_password = "5678"
-    keychain_password = "abcd"
-    env = {
-        "APPLICATION_SIGNING_ID": notarization_identity,
-        "APPLICATION_SIGNING_PASSWORD": notarization_identity_password,
-        "INSTALLER_SIGNING_ID": signing_identity,
-        "INSTALLER_SIGNING_PASSWORD": signing_identity_password,
-        "KEYCHAIN_PASSWORD": keychain_password,
-        "ROOT_DIR": str(cert_root),
-    }
     # Installer certificates must be trusted to be found in the keychain.
     # Users will be asked for authentication.
     # On GitHub runners, the system keychain does not require authentication,
     # which is why it is unsed on the CI.
     if ON_CI:
         keychain_path = "/Library/Keychains/System.keychain"
+        keychain_password = ""
     else:
         keychain_path = str(cert_root / "constructor.keychain")
-    env["KEYCHAIN_PATH"] = keychain_path
+        keychain_password = "abcd"
+    env = {
+        "APPLICATION_SIGNING_ID": notarization_identity,
+        "APPLICATION_SIGNING_PASSWORD": notarization_identity_password,
+        "INSTALLER_SIGNING_ID": signing_identity,
+        "INSTALLER_SIGNING_PASSWORD": signing_identity_password,
+        "KEYCHAIN_PASSWORD": keychain_password,
+        "KEYCHAIN_PATH": keychain_path,
+        "ROOT_DIR": str(cert_root),
+    }
     p = subprocess.run(
         ["bash", REPO_DIR / "scripts" / "create_self_signed_certificates_macos.sh"],
         env=env,