fix(deps): cap cryptography <47 to fix SIGILL on ARM64 Apple Silicon#1324
Merged
nicoloboschi merged 1 commit intomainfrom Apr 29, 2026
Merged
fix(deps): cap cryptography <47 to fix SIGILL on ARM64 Apple Silicon#1324nicoloboschi merged 1 commit intomainfrom
nicoloboschi merged 1 commit intomainfrom
Conversation
cryptography 47.0.0 emits CPU instructions that aren't exposed in the ARM64 Linux VMs used by Docker Desktop and Podman (AppleHV) on Apple Silicon. Importing `cryptography.hazmat.bindings._rust` crashes with SIGILL (exit 132), so v0.5.6 containers fail to start on those hosts. See pyca/cryptography#14733. The Dockerfile copies only pyproject.toml (not uv.lock) and runs `uv sync` without --locked, so each build re-resolves to the latest matching version. Without an upper bound, that picked up 47.0.0 once it shipped on 2026-04-24. Closes #1322
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cryptography>=46.0.6,<47inhindsight-api-slim/pyproject.toml. cryptography 47.0.0 emits CPU instructions that aren't exposed in the ARM64 Linux VMs used by Docker Desktop and Podman (AppleHV) on Apple Silicon, causingSIGILL(exit 132) on the very first import ofcryptography.hazmat.bindings._rust. See upstream illegal instruction on arm pyca/cryptography#14733.pyproject.toml, notuv.lock, and runsuv syncwithout--locked) silently picked up 47.0.0 the moment it shipped (2026-04-24), which is why v0.5.4 containers were healthy (resolved 46.0.7) and v0.5.6 containers crash on those runtimes.Closes #1322
Why CI didn't catch it
ubuntu-latest(linux/amd64) — cryptography 47.0.0 is fine on x86_64.linux/amd64,linux/arm64) under QEMU and pushes both, but the smoke test that would actually start a container is commented out (release.yml:390-409, "TODO: Re-enable smoke test when disk space issue is resolved"). The arm64 binary is built and published without ever being executed.A follow-up to re-enable the release-time smoke test (and ideally exercise the arm64 image) would prevent this class of bug in the future, but that's out of scope here.
Test plan
python3 -c "from cryptography.hazmat.bindings._rust import openssl"succeeds (cryptography resolves to 46.0.x)