-
Notifications
You must be signed in to change notification settings - Fork 15
Build Sinter from Source
Sinter builds on macOS 10.15 or above.
Because Sinter uses the EndpointSecurity API, it must be code-signed with an appropriate Apple-issued "Distribution" signing certificate and a corresponding provisioning profile that includes the EndpointSecurity entitlement, then also notarized. Code-signing for the EndpointSecurity entitlement requires a manual application to Apple for approval for the required provisioning profile. If you cannot sign with such a certificate, then you must disable SIP if you want to build Sinter from source and run locally. To disable SIP (not recommended except on a test system):
Schedule a Recovery Mode reboot:
$ sudo nvram "recovery-boot-mode=unused"; sudo reboot recovery
From Recovery Mode, launch Utilities -> Terminal. Disable SIP, and boot back into regular macOS:
$ csrutil disable; reboot
To confirm that SIP is disabled:
$ csrutil status
First, install Xcode 11.4 or newer
Install the Xcode command-line tools as well. One way to do this is:
Sinter is a user-mode application authorization system for MacOS written in Swift.
(Optional, if building the installer pkg) The Sinter project uses CMake to automate the post-build packaging and notarization steps. Install the latest version of CMake.
This program is under heavy development, and new features will be added really soon! Currently, Sinter is able to deny applications based on the code directory hash value, using a JSON-based database that can be provided either locally or with a Santa-compatible sync-server.
Additional settings allow the user to choose whether to enable or disable unsigned and invalid programs, which can be used to mimic the MONITOR mode used by Santa.
To be able to distribute a macOS application that uses the EndpointSecurity API, as Sinter does, requires building and signing with a Distribution certificate from an Apple Developer Account that has been approved for the EndpointSecurity entitlement. Note that only a Team Account owner can apply for this entitlement. Apply here, at the "Request an Entitlement" link.
Sinter uses the Endpoint Security API in macOS 10.15 and above, meaning it must be code-signed with an Apple-issued "Distribution" signing certificate and provisioning profile that includes the Endpoint Security entitlement, which requires a manual application to Apple for approval. If you cannot sign with such a certificate, then you must disable SIP if you want to run Sinter built from source.
From the Sinter directory:
$ xcodebuild -scheme Sinter -configuration Release
Optional: you may need to set the command-line tools to the full Xcode, first, then try the above command again:
$ sudo xcode-select --switch /Applications/Xcode.app/Contents/Developer
$ cd packaging && mkdir build && cd build && make package ..
Finally, to run Sinter and observe the console output in realtime, do not double-click the Sinter app bundle in Finder. Rather, launch the daemon directly:
$ sudo Sinter.app/Contents/Library/SystemExtensions/com.trailofbits.sinter.systemextension
Run this way, it outputs events to stdout. When run via the default install method, it includes a launchd daemon configuration that also redirects stdout and stderr to logs in /var/db/sinter/. Logs are updated every 2 minutes. View Console.app for live logging.
Note: to run Sinter in the CLI this way, the terminal.app process must also have the Full Disk Access permission, in System Preferences -> Security -> Privacy tab.