Skip to content

ci: upgrade OpenSSL on macOS runners before building#55

Merged
alexrashed merged 6 commits into
mainfrom
fix/upgrade-openssl-macos-runner
Jun 23, 2026
Merged

ci: upgrade OpenSSL on macOS runners before building#55
alexrashed merged 6 commits into
mainfrom
fix/upgrade-openssl-macos-runner

Conversation

@alexrashed

@alexrashed alexrashed commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

This issue was discovered in this run triggerd for #54:

error resolving PluginSpec for plugin localstack_cli.plugins.cli.pro
Traceback (most recent call last):
  File "plux/runtime/resolve.py", line 50, in to_plugin_spec
  File "importlib/metadata/__init__.py", line 179, in load
  File "importlib/__init__.py", line 88, in import_module
  File "<frozen importlib._bootstrap>", line 1395, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "pyimod02_importers.py", line 457, in exec_module
  File "localstack_cli/pro/core/cli/localstack.py", line 11, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "localstack_cli/pro/core/cli/cloud_pods.py", line 23, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "localstack_cli/pro/core/bootstrap/auth.py", line 8, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "jwt/__init__.py", line 1, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "jwt/api_jwk.py", line 8, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "jwt/algorithms.py", line 23, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "jwt/utils.py", line 7, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "cryptography/hazmat/primitives/asymmetric/ec.py", line 11, in <module>
  File "pyimod02_importers.py", line 457, in exec_module
  File "cryptography/exceptions.py", line 9, in <module>
ImportError: dlopen(/var/folders/2g/92mj4pfn1s5b011gllmmvkfw0000gn/T/_MEI11q7hj/cryptography/hazmat/bindings/_rust.abi3.so, 0x0002): Symbol not found: _SSL_get0_group_name
  Referenced from: <0B82270C-7CBC-3E16-8BB3-C36A2411AD85> /private/var/folders/2g/92mj4pfn1s5b011gllmmvkfw0000gn/T/_MEI11q7hj/cryptography/hazmat/bindings/_rust.abi3.so
  Expected in:     <9B344E3E-5859-3A34-BEDE-FD3F59BB3704> /private/var/folders/2g/92mj4pfn1s5b011gllmmvkfw0000gn/T/_MEI11q7hj/libssl.3.dylib
Usage: localstack [OPTIONS] COMMAND [ARGS]...
Try 'localstack --help' for help.
  • The macos-15-intel smoke test was crashing because the cryptography wheel's Rust extension (_rust.abi3.so) references _SSL_get0_group_name (added in OpenSSL 3.2), but PyInstaller was bundling an older libssl.3.dylib from the runner that doesn't export that symbol.
  • This is because cryptography dropped support for MacOS x86_64 altogether with Drop x86-64 for macOS pyca/cryptography#13520.
  • This is why this PR pins the cryptography version to <49 for MacOS x86_64.

This is just a dirty fix to keep the CLI alive. We should officially deprecate the CLI for x86_64 MacOS as well.

Test plan

  • Verify the build (macos-15-intel, darwin, amd64) job passes the Non-Docker Smoke tests step
  • Verify no regression on macos-14 (arm64) and other runners

alexrashed and others added 2 commits June 22, 2026 08:28
@alexrashed @claude
ci: upgrade OpenSSL on macOS runners before building
9493693 
The cryptography wheel bundled by PyInstaller references _SSL_get0_group_name
(added in OpenSSL 3.2), but the macos-15-intel runner has an older libssl.3.dylib
that doesn't export this symbol, causing the smoke test to crash. Upgrading
openssl@3 before the build ensures PyInstaller bundles a compatible dylib.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@alexrashed @claude
ci: add comment explaining OpenSSL upgrade step
6c8e321 
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@alexrashed alexrashed marked this pull request as draft June 22, 2026 06:47
@alexrashed alexrashed mentioned this pull request Jun 22, 2026
Merged
alexrashed and others added 4 commits June 22, 2026 08:54
@alexrashed @claude
ci: fix cryptography OpenSSL symbol mismatch on macOS x86_64
0b7f60f 
cryptography 49.0.0 has no pre-built wheel for macOS x86_64 and builds
from source. The Rust openssl-sys crate picks up Python's OpenSSL via
PKG_CONFIG_PATH (set by setup-python), which differs from the Homebrew
libssl.3.dylib that PyInstaller later bundles — so _SSL_get0_group_name
is present at compile time but missing at runtime.

Setting OPENSSL_STATIC=1 and OPENSSL_DIR forces static linking against
Homebrew's OpenSSL, embedding all required symbols into _rust.abi3.so
and eliminating the libssl.3.dylib runtime dependency entirely. The
timeout is bumped to 10 min to allow for the longer static link step.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@alexrashed @claude
ci: pin OPENSSL_DIR on macOS Intel to fix symbol mismatch
1a8a8ce 
cryptography 49.0.0 has no pre-built macOS x86_64 wheel and builds from
Rust source. setup-python sets PKG_CONFIG_PATH to Python's own OpenSSL,
which openssl-sys picks up for headers during compilation — but PyInstaller
later bundles Homebrew's libssl.3.dylib from /usr/local/opt/openssl@3.
These two OpenSSL builds differ, so _SSL_get0_group_name is present at
compile time but missing at runtime.

Setting OPENSSL_DIR=/usr/local/opt/openssl@3 forces openssl-sys to use
Homebrew's headers and link against Homebrew's dylib, ensuring the
compile-time and runtime libraries match.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@alexrashed @claude
fix: pin cryptography<49 to restore macOS x86_64 wheel support
ba22e35 
cryptography 49.0.0 dropped macOS x86_64 wheel publishing and switched
to AWS-LC as its Rust backend. Building from source on macos-15-intel
produces a _rust.abi3.so that references _SSL_get0_group_name (an AWS-LC
extension), but PyInstaller bundles standard OpenSSL's libssl.3.dylib
which lacks this symbol, causing a crash at runtime.

Pinning to <49 ensures pip selects 48.0.1, which ships a universal2
wheel with a properly delocated OpenSSL for both arm64 and x86_64.
Reverts the now-unnecessary OPENSSL_DIR workflow workaround.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@alexrashed @claude
ci: constrain cryptography<49 only on macos-15-intel runner
7d53f81 
Move the pin out of requirements.txt (which affects all platforms) and
into a runner-specific PIP_CONSTRAINT set via GITHUB_ENV. All other
runners continue to get the latest cryptography.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@alexrashed alexrashed marked this pull request as ready for review June 22, 2026 07:38
@alexrashed alexrashed requested a review from silv-io June 22, 2026 07:39
silv-io
silv-io approved these changes Jun 23, 2026
View reviewed changes

@silv-io silv-io left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@alexrashed alexrashed merged commit 2fcb736 into main Jun 23, 2026
6 checks passed
@alexrashed alexrashed deleted the fix/upgrade-openssl-macos-runner branch June 23, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silv-io silv-io silv-io approved these changes

Assignees

No one assigned

Labels

notes: needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexrashed @silv-io