You have to do pretty much two steps before you have the
ipa file: archive then export. There are code-signing actions in both steps.
You create an archive of your app regardless of the type of distribution method you select. Code-signing happens roughly after building.
Which certificate is needed here really depends on your project config: archive needs the type of certificate you specify in
building settings with respect to the
build configuration specified in your schema.
So yes, if you specify
Don't Code Sign in building settings, archive won't do code-signing.
What kind of certificate is needed when exporting from archive to
ipa is straight-forward: depending on what kind of export you are doing.