Signing software artifacts with NumFOCUS-provided certificates on macOS and Windows

### Project

conda-forge

### Observations

A number of projects produce redistributable software artifacts that would benefit from certificate signing to avoid runtime warnings for end users and overall improved security experience.

Note that, while I'm asking on behalf of conda-forge, I've been involved in conversations with maintainers from Spyder, napari, Scientific Python and others, where this need was also identified.

Signing works differently in macOS and Windows. TL;DR: We need Apple Developer Portal, and Azure Trusted Signing. And then document everything because this is not very intuitive.

## macOS

These are provided directly by the Apple Developer Portal, and IIRC this service is already offered by NF. I'd like to know what the procedure is to ask for the necessary certificates (installer and application). Once generated, I don't think we want to store them directly in GH secrets so we would need some kind of secret vault. 1Password should work here for cross-project access, I hope? Some docs in [this blog post](https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/).

## Windows

The requirements for Windows signing have changed in the last few years, and they need to be stored in special hardware (e.g. [see this SO question](https://stackoverflow.com/questions/76579789/is-there-any-way-to-get-a-code-signing-certificate-into-azure-key-vault-given-th/76925226#76925226)). So we have two options:
  - The old way. Buy our own certificate and store it in Azure Key Vault. The certificates are not provided by Microsoft, but by [3rd parties](https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-cert-manage#get-or-renew-a-code-signing-certificate). The process is a bit manual, and might involve phone calls, exchange of USB keys and whatnot. Some guides at this [blog post](https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/) or [this one](https://blog.openziti.io/signing-executables-from-github-actions). Everything looks very complicated so instead...
  - The new way. Use Azure Trusted Signing, which is a cloud service that costs $10/mo for individuals. Involved setup but once working it should be ok? Some guides in [this blog post](https://weblog.west-wind.com/posts/2025/Jul/20/Fighting-through-Setting-up-Microsoft-Trusted-Signing), or [this one](https://www.installpackbuilder.com/help/build-settings/package-trusted-signing/), or [this one](https://clarionhub.com/t/microsoft-trusted-code-signing-steps-to-set-it-up/7861), or [this one](https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/). Everywhere I read this seems to be the way to go in 2025.
    - [Similar option from Digicert](https://www.digicert.com/signing/code-signing-certificates#code_signing_key_locker) (but more expensive)

## References

These are issues where different projects have investigated this fun issue:

- https://github.com/conda-forge/miniforge/issues/429
- https://github.com/conda-forge/miniforge/issues/201
- https://github.com/scientific-python/installer/issues/10
- https://github.com/napari/packaging/issues/212
- https://github.com/spyder-ide/spyder/issues/21389
- https://github.com/conda-forge/miniforge/issues/725

cc'ing some folks who have looked into this in the past @mrclary (Spyder), @jni (napari), @matthew-brett (Scientific Python), @wolfv (Pixi)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Signing software artifacts with NumFOCUS-provided certificates on macOS and Windows #69

Project

Observations

macOS

Windows

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Signing software artifacts with NumFOCUS-provided certificates on macOS and Windows #69

Description

Project

Observations

macOS

Windows

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions