Using hatch in a restricted environment.

[ffyring]

I am experimenting with using uv with hatch as the build back system to build python packages. A minimal pyproject.toml might look like this:

[project]
name = "my_project"
"version" = "0.0.1"
dependencies = [numpy]

[build-system]
requires = ["hatchling", "hatch-vcs"]
build-backend = "hatchling.build"

[tool.hatch]
build.include = ["*.py"]
build.packages = ["tmy_project"]

When I build the project with uv build I get the error

Building source distribution...
× Failed to build C:\src\my_project
├─▶ Failed to run C:\Users\Fredrik\AppData\Local\uv\cache\builds\v0\.tmpdAXY1O\Scripts\python.exe
╰─▶ This program is blocked by group policy. For more information, contact your system administrator. (os error 1260)

This is due to my restrictive environment forces me to either use whitelisted signed executables, or sign them myself with SignTool.
Since astral.sh do not (yet) sign their distributed python executables, I would like to make a build hook that signs python.exe after the build environment is created but before python has been run.

My first thought was that this was uv:s responsibility (astral-sh/uv#14401 (comment)) but I guess everything in the build is passed to hatch?

Reading about build hooks I added

[tool.hatch.build.hooks.custom]
path = "hooks/my_hook.py"

and created a hooks/my_hook.py

from hatchling.builders.hooks.plugin.interface import BuildHookInterface
import os

class MyHook(BuildHookInterface):
    def initialize(self, version, build_data):
          print(f"Running my custom setup before build in directory {os.getcwd()}")

However, I get the same "Blocked by group policy error". My theory is that (naturally) hatch first creates an isolated build environment in C:\Users\Fredrik\AppData\Local\uv\cache\builds\v0.tmpdAXY1O and uses that environment in the "initialize" hook call.

I need to call a hook that executes a script BEFORE the python initialization hook to sign the python itself. Is this possible?

[ofek]

The build environment can be configured just like any other environment so I suppose in theory you could try this? https://hatch.pypa.io/1.16/config/environment/overview/#pre-install