feat: build new trampoline binaries with signing, integrate windows signing

[wolfv]

Description

This PR integrates signing for Windows, by using a certificate on Azure that is linked to us (prefix.dev GmbH). After signing, the binaries should not trigger a smart screen anymore when downloading (especially relevant for the MSI installer). Note: today, a smart screen is not triggered by the PowerShell script afaik.

We also use the same signing mechanism for the "trampoline" binaries on Windows (used by Pixi Global).

We do not yet sign the "launcher" binaries (ideally that would be done by the conda community in conda/conda-launchers#11).

What we should test:

• after running the release workflow with a MSI download / exe download we shoudl validate the signatures.
• also test to install something with pixi global and validate that the trampoline exectable is correctly signed.

Fixes #{issue}

How Has This Been Tested?

AI Disclosure

• This PR contains AI-generated content.
  • I have tested any AI-generated content in my PR.
  • I take responsibility for any AI-generated content in my PR.

Tools: {e.g., Claude, Codex, GitHub Copilot, ChatGPT, etc.}

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added sufficient tests to cover my changes.
• I have verified that changes that would impact the JSON schema have been made in schema/model.py.

[Hofer-Julian]

Only had one comment, apart from that it looks good

[Hofer-Julian]

Looks good!

[ruben-arts]

To test this you should push the branch to prefix-dev/pixi and kick off the release with dry-run this should create the binaries and then we can test it.

[wolfv]

The trampolines are already updated in this PR – but also a good idea. Kicked off a dry-run build! https://github.com/prefix-dev/pixi/actions/runs/22399075772

[wolfv]

The MSI is properly signed 🎉 and the same for the .exe