You have to do pretty much two steps before you have the ipa
file: archive then export. There are code-signing actions in both steps.
You create an archive of your app regardless of the type of distribution method you select. Code-signing happens roughly after building.
Which certificate is needed here really depends on your project config: archive needs the type of certificate you specify in building settings
with respect to the build configuration
specified in your schema.
So yes, if you specify Don't Code Sign
in building settings, archive won't do code-signing.
What kind of certificate is needed when exporting from archive to ipa
is straight-forward: depending on what kind of export you are doing.