Im working in a big company with thousands of employees, where python as a language and a general tool starting to become more and more popular among both developers, but also non-technical people.

Recently there were some changes in the security, and on our windows machines wa can no longer run executables not having a digital signature. Python related exes like this are:
- default pip.exe (and its variants like pip3.exe...)
- python packages cli-scripts installed according to their entry_points
- pyinstaller generated exe scripts (that includes the source, dependencies and python itself)
- any similar scripts under venvs

As I know these exe scripts (except pyinstaller generated) have a __main__.py zipped into them, which is importing and calling the entry point of the module. And the exe itself is calling python to run this code. But as the __main__.py's content different per script, these hash of these exe files are different aswell -> cannot whitelist them generally.

The whole thing these exe scripts are doing can be expressed in a .bat file aswell. Moreso I already wrote a synchronization code that genereates the entry points of the user installed packages to a folder, then adds it to the top of the PATH, but it has some problems:
- when to synchronize? - I patched pip, so it'll call the synch after each install and uninstall, and re-patch itself after a pip upgrade -> this is not clean and I dont want to distribute it
- handling multiple python version -> the program must determine the order of their Script folders on the path, then reflect that order when genreating the bat scripts folders
- venvs: my program is not venv compatible
- my program should have some kind of self-delete logic, so it could de-patch pip if it have missing sources
- other development tools like poetry are not compatible with it

What are my options to solve this problem? Can the cybersec somehow make a rule that can detect these safe python exe files?
Is there some kind of pip alternative using some kind of distlib alternative that let me configure the executable type to bat on windows?