diff --git a/.pipelines/templates/mac-package-build.yml b/.pipelines/templates/mac-package-build.yml
index 6938ee32e6b..df42d7b661a 100644
--- a/.pipelines/templates/mac-package-build.yml
+++ b/.pipelines/templates/mac-package-build.yml
@@ -152,3 +152,100 @@ jobs:
     displayName: 'Package ${{ parameters.buildArchitecture}}'
     env:
       __DOTNET_RUNTIME_FEED_KEY: $(RUNTIME_SOURCEFEED_KEY)
+
+- job: sign_package_macOS_${{ parameters.buildArchitecture }}
+  displayName: Sign Package macOS ${{ parameters.buildArchitecture }}
+  dependsOn: package_macOS_${{ parameters.buildArchitecture }}
+  condition: succeeded()
+  pool:
+    type: windows
+
+  variables:
+  - name: ob_outputDirectory
+    value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+  - name: ob_sdl_binskim_enabled
+    value: true
+  - name: ob_sdl_credscan_suppressionsfileforartifacts
+    value: $(Build.SourcesDirectory)/PowerShell/.config/suppress.json
+  - name: BuildArch
+    value: ${{ parameters.buildArchitecture }}
+  - group: mscodehub-macos-package-signing
+
+  steps:
+  - download: current
+    artifact: macos-pkgs
+
+  - pwsh: |
+      $buildArch = '${{ parameters.buildArchitecture }}'
+      $macosRuntime = "osx-$buildArch"
+      $pkgNameFilter = "powershell-*$macosRuntime.pkg"
+      $pkgPath = Get-ChildItem -Path $(Pipeline.Workspace) -Filter $pkgNameFilter -Recurse -File
+
+      if ($pkgPath.Count -eq 0) {
+        throw "No package found for $macosRuntime"
+      }
+
+      foreach($p in $pkgPath) {
+        $file = $p.FullName
+        $fileName = $p.BaseName
+        Write-Verbose -verbose "Compressing $file"
+        $zipFile = "$(Pipeline.Workspace)\${fileName}.zip"
+        Write-Verbose -Verbose "Zip file: $zipFile"
+        Compress-Archive -Path $file -Destination $zipFile
+      }
+
+      Write-Verbose -Verbose "Compressed files:"
+      Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*.zip" -File | Write-Verbose -Verbose
+    displayName: Compress package files for signing
+
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
+    displayName: 'ESRP CodeSigning'
+    inputs:
+      ConnectedServiceName: 'ESRPMacOSSigning'
+      AppRegistrationClientId: '$(AppRegistrationClientId)'
+      AppRegistrationTenantId: '$(AppRegistrationTenantId)'
+      AuthAKVName: 'pwsh-CICD-Keyvault'
+      AuthCertName: 'PS-macos-signing'
+      AuthSignCertName: 'ESRP-OneCert' # this is not needed for pkg signing
+      FolderPath: $(Pipeline.Workspace)
+      Pattern: '*.zip'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [{
+            "KeyCode": "$(KeyCode)",
+            "OperationSetCode": "MacAppDeveloperSign",
+            "parameters": [
+            {
+                "parameterName": "hardening",
+                "parameterValue": "enable"
+            },
+            {
+                "parameterName": "OpusInfo",
+                "parameterValue": "http://Microsoft.com"
+            }
+            ],
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+        }]
+      SessionTimeout: 90
+      ServiceEndpointUrl: '$(ServiceEndpointUrl)'
+      MaxConcurrency: 25
+
+  - pwsh: |
+      $signedPkg = Get-ChildItem -Path $(Pipeline.Workspace) -Filter "*osx*.zip" -File
+
+      Write-Verbose -Verbose "Signed package zip: $signedPkg"
+
+      if (-not (Test-Path $signedPkg)) {
+        throw "Package not found: $signedPkg"
+      }
+
+      if (-not (Test-Path $env:ob_outputDirectory)) {
+        $null = New-Item -Path $env:ob_outputDirectory -ItemType Directory
+      }
+
+      Expand-Archive -Path $signedPkg -DestinationPath $env:ob_outputDirectory -Verbose
+
+      Write-Verbose -Verbose "Expanded pkg file:"
+      Get-ChildItem -Path $env:ob_outputDirectory | Write-Verbose -Verbose
+    displayName: Expand signed file
diff --git a/.pipelines/templates/uploadToAzure.yml b/.pipelines/templates/uploadToAzure.yml
index cf4aefdbbfc..150fef9ef71 100644
--- a/.pipelines/templates/uploadToAzure.yml
+++ b/.pipelines/templates/uploadToAzure.yml
@@ -200,10 +200,27 @@ jobs:
       buildType: 'current'
       artifact: macos-pkgs
       itemPattern: |
-        **/*.pkg
         **/*.tar.gz
       targetPath: '$(Build.ArtifactStagingDirectory)/downloads'
-    displayName: Download macos packages
+    displayName: Download macos tar packages
+
+  - task: DownloadPipelineArtifact@2
+    inputs:
+      buildType: 'current'
+      artifact: drop_mac_package_sign_package_macos_arm64
+      itemPattern: |
+        **/*.pkg
+      targetPath: '$(Build.ArtifactStagingDirectory)/downloads'
+    displayName: Download macos arm packages
+
+  - task: DownloadPipelineArtifact@2
+    inputs:
+      buildType: 'current'
+      artifact: drop_mac_package_sign_package_macos_x64
+      itemPattern: |
+        **/*.pkg
+      targetPath: '$(Build.ArtifactStagingDirectory)/downloads'
+    displayName: Download macos x64 packages
 
   - pwsh: |
       Get-ChildItem '$(Build.ArtifactStagingDirectory)/downloads' | Select-Object -ExpandProperty FullName