diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index df748bb94e..be17bc167e 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -11,6 +11,16 @@ inputs:
   APPLE_IDENTITY:
     description: Apple identity to use for signing
     required: false
+  skip-codesign-import:
+    description: >
+      When 'true', skip importing the Apple Developer ID into the keychain.
+      Useful for recipes whose binaries require adhoc signing (eg. those
+      carrying com.apple.security.virtualization / .hypervisor entitlements,
+      which need either adhoc or a matching provisioning profile to be
+      accepted by macOS at runtime). Defense-in-depth on top of brewkit's
+      fix-machos.rb policy. See pkgxdev/pantry#7853.
+    required: false
+    default: 'false'
 
 runs:
   using: composite
@@ -38,11 +48,11 @@ runs:
     # delete it if it does.
     - name: Delete keychain
       shell: sh
-      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64
+      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64 && inputs.skip-codesign-import != 'true'
       run: security delete-keychain signing_temp.keychain || true
 
     - uses: apple-actions/import-codesign-certs@v6
-      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64
+      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64 && inputs.skip-codesign-import != 'true'
       with:
         p12-file-base64: ${{ inputs.p12-file-base64 }}
         p12-password: ${{ inputs.p12-password }}
diff --git a/.github/workflows/pkg-platform.yml b/.github/workflows/pkg-platform.yml
index c6693dc2c4..bcde347981 100644
--- a/.github/workflows/pkg-platform.yml
+++ b/.github/workflows/pkg-platform.yml
@@ -40,6 +40,13 @@ on:
       invalidate-cloudfront:
         type: boolean
         default: true
+      skip-codesign-import:
+        description: >
+          Skip importing the Apple Developer ID into the keychain.
+          For recipes whose binaries need adhoc signing (virtualization /
+          hypervisor entitlements). See pkgxdev/pantry#7853.
+        type: boolean
+        default: false
     secrets:
       APPLE_CERTIFICATE_P12: { required: false }
       APPLE_CERTIFICATE_P12_PASSWORD: { required: false }
@@ -80,6 +87,7 @@ jobs:
           p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
           p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
           APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
+          skip-codesign-import: ${{ inputs.skip-codesign-import }}
 
       - uses: pkgxdev/setup@v5
         with:
diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml
index 5e88f4adce..c77341f136 100644
--- a/.github/workflows/pkg.yml
+++ b/.github/workflows/pkg.yml
@@ -16,6 +16,13 @@ on:
       invalidate-cloudfront:
         type: boolean
         default: true
+      skip-codesign-import:
+        description: >
+          Skip importing the Apple Developer ID into the keychain.
+          For recipes whose binaries need adhoc signing (virtualization /
+          hypervisor entitlements). See pkgxdev/pantry#7853.
+        type: boolean
+        default: false
 
 jobs:
   plan:
@@ -54,4 +61,5 @@ jobs:
       tinyname: ${{ matrix.platform.tinyname }}
       complain: ${{ inputs.complain }}
       invalidate-cloudfront: ${{ inputs.invalidate-cloudfront }}
+      skip-codesign-import: ${{ inputs.skip-codesign-import }}
     secrets: inherit