Santa macOS Trust Policy

Deploy Santa trust rules for thoth and thothctl using published Team ID, signing metadata, and release checksums.

Use this guide to enforce allow-by-trust policy for thoth and thothctl on macOS endpoints running Santa.

Inputs from each release

Download these assets from atensecurity/thoth release v<version>:

santa-metadata.json
signing-metadata.json
checksums.sha256
binaries or PKG you deploy

Extract publisher metadata:

jq -r '.teamId' santa-metadata.json
jq -r '.applicationIdentity' santa-metadata.json
jq -r '.installerIdentity' santa-metadata.json

Recommended Santa rule model

Allow by Team ID for signed Thoth binaries.
Add hash-based allow rules for explicit release pinning.
Keep rules versioned in your config repository and roll out via MDM.

Team ID trust rules

TEAM_ID="$(jq -r '.teamId' santa-metadata.json)"
sudo santa-cli rule --add --teamid "$TEAM_ID" --policy ALLOWLIST

Optional hash pinning rules

THOTH_SHA="$(awk '$2=="thoth-macos-universal" {print $1}' checksums.sha256)"
THOTHCTL_SHA="$(awk '$2=="thothctl-macos-universal" {print $1}' checksums.sha256)"
 
sudo santa-cli rule --add --sha256 "$THOTH_SHA" --policy ALLOWLIST
sudo santa-cli rule --add --sha256 "$THOTHCTL_SHA" --policy ALLOWLIST

Verify endpoint signing identity

codesign -dv --verbose=4 /usr/local/bin/thoth 2>&1 | grep -E 'TeamIdentifier|Authority='
codesign -dv --verbose=4 /usr/local/bin/thothctl 2>&1 | grep -E 'TeamIdentifier|Authority='

Expected Team ID matches santa-metadata.json.

Rollout pattern

Test group (1-5 endpoints)
Pilot group (5-15%)
Full fleet

For each stage, validate:

thoth --version
thothctl --version
thoth health --json

Incident handling

Revoke hash rules for a compromised release.
Move Team ID rules to monitor mode during incident triage if required.
Re-pin to new release hashes after remediation.

Santa macOS Trust Policy

On this page