CFBundleIdentifier Collision submitting app with Canon EDSDK

Question

Created Aug ’21

Replies 9

Boosts 0

Views 2.8k

Participants 2

I am trying to submit my App CaptureEclipse (AppleID 1567295651; AlmadenObservatory.CaptureEclipse) for release on the Apple Mac App Store. I am having a problem with getting the App Validated. The app includes the Canon EDSDK framework which includes two bundles CHHLLITE and EdsImage. Using the simple path of submitting the running code to Archive I get the following error during Validate for each bundle

CFBundleIdentifier Collision The info.plist …. Is already in use by another application.

I have tried following the instructions I have found from Apple Websites {cited below} to no avail. I have also tried following advice from 3rd party websites. Some of them allow the app to validate, but then it is unable to load the bundles.

Note that A-5 asked the same question for the same code on the developer forum 4 years ago and never received an answer.

This cannot be a unique problem and I am sure it is an RTFM, but I cannot find the proper “M” to “R”. Please help

References - Apple

A-1 Signing a Mac Product For Distribution - https://developer.apple.com/forums/thread/128166

Does not discuss included frameworks

A-2 TN2206 https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG314

robhawley@Robs-Mac-Pro EDSDK.framework % codesign -f -v -s "Apple Distribution: robert hawley" Versions/A

Versions/A: replacing existing signature

Versions/A: signed bundle with Mach-O thin (x86_64) [com.canon.edsdk]

Code Ran Successfully

Validate: Both bundles reported CFBundleIdentifier Collision {} already in use by another application

A-3 Code Signing Tasks

https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

followed “Using Library Validation” but did not change result

A-4 Developer Forums: CFBundleIdentifier Collision for using FMOD

https://developer.apple.com/forums/thread/678131

Similar to O-2 below (but did not suggest resigning). I gave it a try robhawley@Robs-Mac-Pro Framework % codesign -f -v --remove-signature EDSDK.framework/Versions/A/CHHLLite.bundle EDSDK.framework/Versions/A/CHHLLite.bundle: replacing existing signature EDSDK.framework/Versions/A/CHHLLite.bundle: signed [] robhawley@Robs-Mac-Pro Framework % codesign -f -v --remove-signature EDSDK.framework/Versions/A/EdsImage.bundle EDSDK.framework/Versions/A/EdsImage.bundle: replacing existing signature EDSDK.framework/Versions/A/EdsImage.bundle: signed [] robhawley@Robs-Mac-Pro Framework % codesign -f -v --remove-signature EDSDK.framework/Versions/A/EDSDK EDSDK.framework/Versions/A/EDSDK: replacing existing signature EDSDK.framework/Versions/A/EDSDK: signed []

The result is that code sign failed during the XCode build probably because the signing identifier (mine) did not match what was in the bundle (theirs). When I modified the bundles as suggested in O-2 then the bundles did not load

A-5 Developer Forums: CFBundleIdentifier Collision. The Info.plist CFBundleIdentifier value 'com.canon.EdsImage

https://developer.apple.com/forums/thread/73528

Identical problem, but received no response

Other Sources

O-1 Hussain

https://sayeedontech.wordpress.com/2014/06/26/mac-app-code-signing-frameworks/

Gives same advice as TN2206

O-2 FMod

https://qa.fmod.com/t/cfbundleidentifier-collision/17227

Suggests the most aggressive change. Remove the signature on all 3 components, modify the info.plists with a new product id, resign with my certificate. That does, in fact, allow validation, but the bundles do not load resulting in a crash in the framework during the first call into it.

Boost

Answer 1

eclipse-chaser OP

Aug ’21

A 100K foot question.

I am trying to submit this for notarization so I can distribute the App on the Mac App Store. I believe this requires that I bundle the framework within my App. Is that the way Apple foresees signed 3rd party frameworks being distributed?

The notarization process appears to require everything so bundled to have unique identifiers and be signed with my Developer Certificate. It seems to ignore "Disable Library Validation Entitlement” even though it is listed as one of the App’s entitlements. However, changing the signing and identifiers breaks the framework.

How are other users of 3rd party frameworks handling this?

0

Answer 2

DTS Engineer OP

Apple

Aug ’21

I didn’t respond to your App Store submission issue because I don’t have an immediate answer for that. However, I can answer your Developer ID issue. You wrote:

Is that the way Apple foresees signed 3rd party frameworks being distributed?

Yes.

While the notary service and Gatekeeper require that your product be signed with a valid Developer ID, they don’t require that all code use the same Developer ID. Having said that, using different Developer IDs is not the standard path. You are responsible for the behaviour of any code that you install, and thus you should sign it as your code. At a practical level:

This simplifies your library validation story.
Bundling the framework within your app simplifies your app install and uninstall story.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

eclipse-chaser OP

Aug ’21

So if someone could suggest a procedure to remove the signing on a 3rd party framework (including the two included bundles) and replace it with my own signing then that would solve the problem. I could also remove the "Disable Library Validation" and run with a fully hardened runtime.

0

Answer 4

DTS Engineer OP

Apple

Aug ’21

The parts all have valid Canon signatures and do not need (should not be) replaced with my own certificate because they are not my code.

IMO this is the correct option. If you’re distributing code as part of your product, you should sign it as your code because you are responsible for the behaviour of that code.

I could also remove the "Disable Library Validation" and run with a fully hardened runtime.

IMO this is an incorrect approach. Disabling library validation only makes sense in a limited set of circumstances [1] and using a third-party framework is not one of them.

So I am pretty well stuck at this point.

Indeed. Given the complexity of this issue I recommend that you open a DTS tech support incident so that I can help you one-on-one.

Make sure to include a reference to this DevForums thread, just for context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For example, when your app has to load third-party plug-ins that are distributed independently.

0

Answer 5

eclipse-chaser OP

Aug ’21

Indeed. Given the complexity of this issue I recommend that you open a DTS tech support incident so that I can help you one-on-one.

Make sure to include a reference to this DevForums thread, just for context.

OK That was going to be my next step. Once I get a solution this is worthy of an Apple Tech Note because I have seen this same problem multiple times.

0

Answer 6

eclipse-chaser OP

Aug ’21

I could also remove the "Disable Library Validation" and run with a fully hardened runtime.

IMO this is an incorrect approach. Disabling library validation only makes sense in a limited set of circumstances [1] and using a third-party framework is not one of them

I think this was caught in a double negative. I currently have to use Disable Library Validation since my current build uses the Library with Canon Signing. If I change the signing to my own then I will be able to run with a fully enabled Hardened Runtime

0

Answer 7

eclipse-chaser OP

Aug ’21

I verified that I can (and should) resign the 3 parts as follows. Doing so allows you to run with a fully hardened runtime.

where Ψ is the name of an apple distribution certificate

my-machine  Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/CHHLLite.bundle 
EDSDK.framework/Versions/A/CHHLLite.bundle: replacing existing signature
EDSDK.framework/Versions/A/CHHLLite.bundle: signed  []

my-machine  Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/EdsImage.bundle 
EDSDK.framework/Versions/A/EdsImage.bundle: replacing existing signature
EDSDK.framework/Versions/A/EdsImage.bundle: signed  []

my-machine  Framework % codesign -vvv -f --remove-signature EDSDK.framework/Versions/A/EDSDK          
EDSDK.framework/Versions/A/EDSDK: replacing existing signature
EDSDK.framework/Versions/A/EDSDK: signed  []


my-machine  Framework % codesign -f -v -s Ψ EDSDK.framework/Versions/A/EdsImage.bundle
EDSDK.framework/Versions/A/EdsImage.bundle: signed bundle with Mach-O thin (x86_64) [com.canon.EdsImage]

my-machine  Framework % codesign -f -v -s Ψ EDSDK.framework/Versions/A/CHHLLite.bundle 
EDSDK.framework/Versions/A/CHHLLite.bundle: signed bundle with Mach-O thin (x86_64) [jp.co.canon.CHHLLite]

my-machine  Framework % codesign -f -v -s Ψ EDSDK.framework/Versions/A/EDSDK          
EDSDK.framework/Versions/A/EDSDK: signed bundle with Mach-O thin (x86_64) [com.canon.edsdk]

In Xcode you should select Frameworks, Libraries,.. to "embed and sign", Link Binary with libraries, and Embed Frameworks

Note that the subject issue remains open.

0

Answer 8

eclipse-chaser OP

Aug ’21

Another CFBundleIdentifier Collision threads such as https://developer.apple.com/forums/thread/73528 can be marked as a duplicate.

0

Answer 9

eclipse-chaser OP

Oct ’21

At the request of Apple DTS I submitted FB9567844.

I met with the App Store Connect folks this morning. They indicated they understood my problem.

0