fix: exclude bundled OpenSSL libs from Linux binary (#466)

danielmeppiel · Copilot · web-flow · commit b2b37123a3b4 · 2026-03-26T17:48:40.000+01:00
* fix: exclude bundled OpenSSL libs from Linux binary (#462) PyInstaller's bootloader sets LD_LIBRARY_PATH to the binary directory in --onedir mode. When apm spawns git, git-remote-https inherits that path and loads the bundled (build-machine) libssl instead of the system one. On distros where system libcurl requires a newer OpenSSL ABI than the build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes symbol lookup errors and git clone failures. Fix: exclude libssl.so.3 and libcrypto.so.3 from a.binaries on Linux. Python's _ssl module still works because it finds system libssl via the standard dynamic linker search path. Validated via Docker: built on Ubuntu 24.04, tested on Fedora 43 -- apm --version, apm --help, git clone over HTTPS all pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address PR review comments - CHANGELOG: use PR number (#466) instead of issue number - apm.spec: soften 'always available' to 'expected on supported targets' Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Skills now deploy to all active targets (`.opencode/`, `.cursor/`) instead of only `.github/` (#456)
 - `apm install` no longer rewrites `apm.lock.yaml` when dependencies are unchanged, eliminating `generated_at` churn in version control (#456)
 - `.github/` is no longer auto-created when other target dirs (`.claude/`, `.cursor/`, `.opencode/`) already exist; copilot is only the fallback for greenfield projects (#456)
+- Linux binary no longer bundles `libssl.so.3`/`libcrypto.so.3`, preventing OpenSSL ABI conflicts on distros where system `libcurl` requires a newer OpenSSL than the build machine (e.g. Fedora 43) (#466)
 - SSH-style Git URLs (`git@host:owner/../evil`) now reject path traversal sequences, closing a bypass of the HTTPS validation added in #437 -- by @thakoreh (#458)
 
 ### Changed
diff --git a/build/apm.spec b/build/apm.spec
@@ -209,6 +209,22 @@ a = Analysis(
     optimize=2,  # Python optimization level for smaller, faster binaries
 )
 
+# Exclude bundled OpenSSL shared libraries on Linux.
+# PyInstaller's bootloader sets LD_LIBRARY_PATH to the binary directory in
+# --onedir mode. When apm spawns git, git-remote-https inherits that path
+# and loads the bundled (build-machine) libssl instead of the system one.
+# On distros where system libcurl requires a newer OpenSSL ABI than the
+# build machine provides (e.g. Fedora 43 with OPENSSL_3.2.0), this causes
+# "symbol lookup error" and git clone failures. Excluding these libs lets
+# the system OpenSSL be used instead, which is expected to be available on
+# supported Linux targets. Python's _ssl module still works because it finds
+# system libssl via the standard dynamic linker search path. See:
+# github.com/microsoft/apm/issues/462
+if sys.platform == 'linux':
+    _openssl_libs = {'libssl.so.3', 'libcrypto.so.3'}
+    a.binaries = [(name, path, typ) for name, path, typ in a.binaries
+                  if name not in _openssl_libs]
+
 pyz = PYZ(a.pure, a.zipped_data, cipher=None)
 
 # GNU strip corrupts Windows PE/COFF binaries; only enable on Unix
