Describe the bug
I'm getting SSL certificate issues when installing from a GitHub repo.
While it may be related to "my machine", the debugging seems to indicate that apm has an OpenSSL bundling that was compiled against the python.org Python 3.12 framework path which doesn't exist on my system and so a fix was to create a SSL_CERT_FILE env var for it like this:
export SSL_CERT_FILE=/usr/local/lib/apm/_internal/certifi/cacert.pem
Additional context
Claude investigation concluded that even if installing apm via brew it wouldn't help (as I considered it as an alternative to installing Python from python.org on the host OS):
No — it's the exact same PyInstaller binary (same apm-darwin-arm64.tar.gz from GitHub releases). The Homebrew formula just unpacks it
and writes a wrapper script around it. You'd have the identical SSL problem.
The formula even has a comment acknowledging the bundled Python.framework causes code-signing headaches — it strips the signature to
work around it. That's the same bundle you have now.
Your real options for a proper fix remain:
- Install python.org Python 3.12 (from python.org, not Homebrew) — fulfills the implicit dependency apm was built against
- File a bug with Microsoft's apm team — they should either compile their bundled OpenSSL with a cross-platform cert path, or
explicitly use certifi.where() in their SSL context. The current setup assumes python.org Python 3.12 is always installed alongside it,
which isn't a safe assumption on macOS
Describe the bug
I'm getting SSL certificate issues when installing from a GitHub repo.
While it may be related to "my machine", the debugging seems to indicate that apm has an OpenSSL bundling that was compiled against the python.org Python 3.12 framework path which doesn't exist on my system and so a fix was to create a SSL_CERT_FILE env var for it like this:
Additional context
Claude investigation concluded that even if installing
apmvia brew it wouldn't help (as I considered it as an alternative to installing Python from python.org on the host OS):No — it's the exact same PyInstaller binary (same apm-darwin-arm64.tar.gz from GitHub releases). The Homebrew formula just unpacks it
and writes a wrapper script around it. You'd have the identical SSL problem.
The formula even has a comment acknowledging the bundled Python.framework causes code-signing headaches — it strips the signature to
work around it. That's the same bundle you have now.
Your real options for a proper fix remain:
explicitly use certifi.where() in their SSL context. The current setup assumes python.org Python 3.12 is always installed alongside it,
which isn't a safe assumption on macOS