From 26a718fc366053709a6358426ccc5f1ca06846f3 Mon Sep 17 00:00:00 2001 From: danielmeppiel Date: Thu, 26 Mar 2026 16:53:31 +0100 Subject: [PATCH 1/2] fix: exclude bundled OpenSSL libs from Linux binary (#462) PyInstaller's bootloader sets LD_LIBRARY_PATH to the binary directory in --onedir mode. When apm spawns git, git-remote-https inherits that path and loads the bundled (build-machine) libssl instead of the system one. On distros where system libcurl requires a newer OpenSSL ABI than the build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes symbol lookup errors and git clone failures. Fix: exclude libssl.so.3 and libcrypto.so.3 from a.binaries on Linux. Python's _ssl module still works because it finds system libssl via the standard dynamic linker search path. Validated via Docker: built on Ubuntu 24.04, tested on Fedora 43 -- apm --version, apm --help, git clone over HTTPS all pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- CHANGELOG.md | 1 + build/apm.spec | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cb248a34..f22e9e1c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Skills now deploy to all active targets (`.opencode/`, `.cursor/`) instead of only `.github/` (#456) - `apm install` no longer rewrites `apm.lock.yaml` when dependencies are unchanged, eliminating `generated_at` churn in version control (#456) - `.github/` is no longer auto-created when other target dirs (`.claude/`, `.cursor/`, `.opencode/`) already exist; copilot is only the fallback for greenfield projects (#456) +- Linux binary no longer bundles `libssl.so.3`/`libcrypto.so.3`, preventing OpenSSL ABI conflicts on distros where system `libcurl` requires a newer OpenSSL than the build machine (e.g. Fedora 43) (#462) ### Added diff --git a/build/apm.spec b/build/apm.spec index 36da3b01d..7fbd25c30 100644 --- a/build/apm.spec +++ b/build/apm.spec @@ -209,6 +209,21 @@ a = Analysis( optimize=2, # Python optimization level for smaller, faster binaries ) +# Exclude bundled OpenSSL shared libraries on Linux. +# PyInstaller's bootloader sets LD_LIBRARY_PATH to the binary directory in +# --onedir mode. When apm spawns git, git-remote-https inherits that path +# and loads the bundled (build-machine) libssl instead of the system one. +# On distros where system libcurl requires a newer OpenSSL ABI than the +# build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes +# "symbol lookup error" and git clone failures. Excluding these libs lets +# the system OpenSSL be used instead -- which is always available on Linux. +# Python's _ssl module still works because it finds system libssl via the +# standard dynamic linker search path. See: github.com/microsoft/apm/issues/462 +if sys.platform == 'linux': + _openssl_libs = {'libssl.so.3', 'libcrypto.so.3'} + a.binaries = [(name, path, typ) for name, path, typ in a.binaries + if name not in _openssl_libs] + pyz = PYZ(a.pure, a.zipped_data, cipher=None) # GNU strip corrupts Windows PE/COFF binaries; only enable on Unix From 7c0c6f574361b1e544027e87afb948182dafe6e2 Mon Sep 17 00:00:00 2001 From: danielmeppiel Date: Thu, 26 Mar 2026 17:09:51 +0100 Subject: [PATCH 2/2] fix: address PR review comments - CHANGELOG: use PR number (#466) instead of issue number - apm.spec: soften 'always available' to 'expected on supported targets' Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- CHANGELOG.md | 2 +- build/apm.spec | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f22e9e1c3..37c8666c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Skills now deploy to all active targets (`.opencode/`, `.cursor/`) instead of only `.github/` (#456) - `apm install` no longer rewrites `apm.lock.yaml` when dependencies are unchanged, eliminating `generated_at` churn in version control (#456) - `.github/` is no longer auto-created when other target dirs (`.claude/`, `.cursor/`, `.opencode/`) already exist; copilot is only the fallback for greenfield projects (#456) -- Linux binary no longer bundles `libssl.so.3`/`libcrypto.so.3`, preventing OpenSSL ABI conflicts on distros where system `libcurl` requires a newer OpenSSL than the build machine (e.g. Fedora 43) (#462) +- Linux binary no longer bundles `libssl.so.3`/`libcrypto.so.3`, preventing OpenSSL ABI conflicts on distros where system `libcurl` requires a newer OpenSSL than the build machine (e.g. Fedora 43) (#466) ### Added diff --git a/build/apm.spec b/build/apm.spec index 7fbd25c30..6ed282068 100644 --- a/build/apm.spec +++ b/build/apm.spec @@ -216,9 +216,10 @@ a = Analysis( # On distros where system libcurl requires a newer OpenSSL ABI than the # build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes # "symbol lookup error" and git clone failures. Excluding these libs lets -# the system OpenSSL be used instead -- which is always available on Linux. -# Python's _ssl module still works because it finds system libssl via the -# standard dynamic linker search path. See: github.com/microsoft/apm/issues/462 +# the system OpenSSL be used instead, which is expected to be available on +# supported Linux targets. Python's _ssl module still works because it finds +# system libssl via the standard dynamic linker search path. See: +# github.com/microsoft/apm/issues/462 if sys.platform == 'linux': _openssl_libs = {'libssl.so.3', 'libcrypto.so.3'} a.binaries = [(name, path, typ) for name, path, typ in a.binaries