Hi: Our group would like to forward logs from our Macs in our integration/production environments to a central server. I haven't found any good documentation for this yet. Can anyone point me to a way to forward to a Graylog or syslog-based server? We're not against cobbling together an app or script using "log stream" to send the info ourselves, but that seems extreme for what I'd think is a very common use case.

I have an internal customer who is trying to submit an IPA to TestFlight via a Jenkins pipeline, and they are submitting their IPA to our central code signing service first. But they're seeing failures in their logs such as: { "id" : "bb07c32d-b4d6-48c4-abfe-390a46dec3ca", "status" : "409", "code" : "STATE_ERROR.VALIDATION_ERROR.90179", "title" : "Asset validation failed", "detail" : "Invalid Code Signing. The executable 'Payload/their.app/Frameworks/Pods_their.framework/Pods_their' must be signed with the certificate that is contained in the provisioning profile." } I obtained the signed IPA file, and examined one of the items flagged as incorrectly signed with "codesign -d -vvvv". I see the correct team identifier in the output, along with the correct ("Distribution") authority. I unbundled the IPA with "ditto -xk", extracted the plist from the embedded provisioning file with "security cms -D -i", and examined the lone developer certificate with "plutil -extract DevelopCertificates.0" and "certtool d". The subject name fields correspond to the correct cert: "Other name" and "OrgUnit" contain "our" team name, "Org" has our company name, "Common Name" has the name of the authority mentioned above. In short, it looks like we're signing it properly, but Apple notarization is refusing it. (For the record, something on Apple's side complained about using "altool" instead of "notarytool". I don't know if that's our problem or not.) What else should I be doing to confirm the status of the signatures? I'm missing something, but I have no idea what.

I work with a team that is responsible for our company's centralized infrastructure for code signing various products within our portfolio, including iOS apps. For security purposes, we want to sign apps before their posting on the App Store, and also to log this activity for eventual security audits. Not surprisingly, we need automated processes; we can't use an IDE like Xcode to do the work. We must queue, process, and log all signing jobs, and have Macs dedicated to this purpose. I can't go into many details about our infrastructure due to confidentiality concerns, so I'll apologize now if my questions seem a little vague. We currently require our iOS developers to submit one or more new provisioning profiles as well as their IPA archive for signing. We support supplying multiple provisioning profiles because some of our developers include embedded third-party extensions within their IPAs, and these extensions can also have their own provisioning profiles. Within our back end, we open the archive, sign the relevant portions using the entitlements in one of the profiles (that we believe to be the appropriate one for the particular archive element), overwrite each supplied provisioning profile with (what we believe to be) the appropriate one from user input, and re-compress the archive. Here come the questions: When we receive multiple provisioning profiles, how do we know which profile should be used to help with signing which archive elements? What data (e.g. entitlements application-identifier, team-identifier) can we use? We also need to know which provisioning profiles from their input correspond to those that already exist within the archive. What data can we use to map profiles from one set to the other? Should we be requiring our users to submit new provisioning profiles in the first place? Or should we edit/recycle the existing ones in some way? We'd like to remove any unnecessary burdens for our users, if possible.