Unsigned .pyd files blocked by Windows WDAC code integrity policies #30832
Description
Describe the issue:
NumPy's compiled extension modules (.pyd files) are not Authenticode-signed. On Windows systems with WDAC (Windows Defender Application Control) code integrity policies enforced, this causes numpy to fail to import with:
DLL load failed while importing _mt19937: An Application Control policy has blocked this file.
This is becoming increasingly common as organizations deploy WDAC policies, and it breaks any Python application that depends on numpy — even if the application only needs numpy for optional features.
Reproduce the code example:
# On a Windows system with WDAC code integrity enforced:
import numpy # Fails with DLL load errorVerify that .pyd files are unsigned:
Get-AuthenticodeSignature (Get-ChildItem -Recurse -Filter "*.pyd" -Path "$env:APPDATA\uv\tools\chunkhound\Lib\site-packages\numpy")
# All show Status: NotSignedError message:
ImportError: DLL load failed while importing _mt19937: An Application Control policy has blocked this file.
NumPy/Python version information:
- numpy 2.4.2
- Python 3.13
- Windows 11 Pro 10.0.26100 (x64)
- WDAC CodeIntegrityPolicyEnforcementStatus = 2 (enforced)
Context
This was reported in chunkhound/chunkhound#192 where it crashes the MCP server at startup. The workaround is to lazy-load numpy so it's only imported when actually needed, but that doesn't help applications that require numpy at startup.
Authenticode-signing the .pyd files in the wheel build would allow numpy to work on WDAC-enforced systems. Other major projects with native extensions (e.g., some Microsoft packages) sign their DLLs for this reason.