Skip to content

The Eclectic Light Company

Macs, painting, and more
Main navigation
  • Downloads
  • M1 & M2 Macs
  • Mac Problems
  • Mac articles
  • Art
  • Macs
  • Painting
hoakley August 14, 2017 Macs, Technology

Show me your metadata: extended attributes in macOS Sierra

Files don’t just consist of data, but also have information about them. The more obvious bits of information, such as the date and time of creation and other information displayed in the Finder’s Get Info dialog, are their attributes. They may also have more extensive metadata, which form their extended attributes: xattr in short.

(Beware: xattr is not .xattr, which would make it appear a file extension. Extended attributes are not stored in files with the extension .xattr, at least not in macOS.)

Another way of looking at extended attributes comes from the ‘forks’ of files which were used extensively in classic MacOS. Many files had ‘resource forks’ in addition to their plain data, which could include things like saved window settings for a document. Classic apps were largely composed of resources, which stored the dialogs, windows, menus, and much else. In macOS, the resource fork is also considered to be metadata, and stored as an xattr.

Xattrs are not confined to macOS, not by a long way, but are used quite similarly in Linux, BSD, and elsewhere. But macOS does some very specific and significant things with xattrs, making them important to Mac users.

Quarantine

The most significant purpose of one specific xattr, named com.apple.quarantine, is to mark which files – apps in particular – have been downloaded from the internet rather than obtained locally. These are then used by Gatekeeper to determine whether an app requires full checking of its signature.

For example, the com.apple.quarantine xattr of
0002;57068194;Safari.app;C9E5ACBF-7078-4E1C-B9A1-5D0FAEADF10D
gives that file a Gatekeeper score of 0002, was downloaded at clock time 57068194 by Safari.app, and has a UUID of C9E5ACBF-7078-4E1C-B9A1-5D0FAEADF10D.

Low Gatekeeper scores of 0003 and less will result in Gatekeeper performing a full check of the app. I will explain the Gatekeeper score in more detail in an article here tomorrow: they are not so simple after all! The UUID refers to that file’s entry in the quarantine database, which is kept in ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 – normally a large SQLite database file.

The quarantine xattr is not attached to every file or app which makes it onto your Mac. Web browsers and most mail clients add it, but copying a file across a file sharing system, or downloading it using a command tool such as curl, will not normally attach it.

Quarantine xattrs are remarkably persistent and may propagate, although the great majority have high Gatekeeper scores which ensures that they are not subjected to a full signature check (and are in any case not signed and not signable).

xattred1

Other xattrs

I have been unable to find a list of the most common xattrs which you will encounter. As any developer (or user) can make up their own, there is no limit to them. Here are some which you are likely to come across.

com.apple.FinderInfo is found very widely, and contains (a little) Finder information, sometimes including the old file type and creator strings.

com.apple.metadata is for metadata generally, and is usually further qualified by a label such as:

  • _kMDItemUserTags contains Finder tag information
  • kMDLabel_ followed by a string of apparently random letters
  • _kTimeMachineNewestSnapshot gives the latest Time Machine backup timestamp for a major folder such as your Home folder
  • _kTimeMachineOldestSnapshot gives the oldest Time Machine backup timestamp for a major folder such as your Home folder
  • kMDItemDownloadedDate gives the datestamp for when a downloaded item was obtained
  • kMDItemWhereFroms gives the URL from which a downloaded item was obtained
  • kMDItemIsScreenCapture, kMDItemScreenCaptureGlobalRect, and kMDItemScreenCaptureType for screenshots.

com.apple.progress.fractionCompleted is sometimes associated with a user’s Home folder.

com.apple.ResourceFork is a resource fork.

com.apple.rootless marks items which are protected by SIP.

com.apple.serverdocs.markup appears to be left on some folders which have been handled by macOS Server.

The metadata associated with images (including EXIF) and other media files are normally stored within the file, and not in xattrs.

Accessing and editing xattrs

Some of the ‘Swiss army knife’ GUI tools for macOS give access to xattrs, but as standard, the only way that a user can view or change xattrs is in Terminal, using the xattr tool. This is fairly straightforward and fully documented in its man page.

The first step in accessing xattrs is to determine whether the given file or folder has them: for example, using ls -la to list a folder in detail will show an @ at the end of the permissions flags if the item has xattrs:
drwxr-xr-x@ 254 hoakley staff 8636 24 Jul 18:39 miscDocs

xattr -l filepath
will list in full all the xattrs for the item filepath, which can be a file or folder, of course. You can write an xattr using the option -w, delete it with -d, and more.

Xattrs are stored in an Attributes area in the volume metadata. They are thus not a ‘file’, but part of the file system data for that volume.

Because it gets quite tedious exploring xattrs in Terminal, I have put together a little app xattred (pronounced like shattered, but with the Greek letter χ chi at the start), which lets you inspect the xattrs of files and folders, and save them as text files. The latest release is in Downloads above.

Cautions

Some command tools may still not handle xattrs properly: check carefully before using cpio, zip or pax, for example, as you may need to supply an option if you wish to preserve xattrs. Although most file systems should handle xattrs – HFS+ does, of course, and APFS has full support too – NFS does not, and is likely to strip them if you do not archive files first using a method which retains xattrs.

Xattrs can be large; in the extreme, it is possible to fill a volume with metadata in xattrs, which can bypass some user and system controls. Although I have not yet come across their abuse by malware, you should always be aware of that possibility.

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Pinterest
  • Email
  • Print

Like this:

Like Loading...

Related

Posted in Macs, Technology and tagged APFS, extended attributes, forks, HFS+, macOS, metadata, quarantine, resources, Sierra, xattr. Bookmark the permalink.

Quick Links

  • Downloads
  • Mac Troubleshooting Summary
  • M1 & M2 Macs
  • Mac problem-solving
  • Painting topics
  • Painting
  • Long Reads

Search

Monthly archives

  • February 2023 (7)
  • January 2023 (74)
  • December 2022 (74)
  • November 2022 (72)
  • October 2022 (76)
  • September 2022 (72)
  • August 2022 (75)
  • July 2022 (76)
  • June 2022 (73)
  • May 2022 (76)
  • April 2022 (71)
  • March 2022 (77)
  • February 2022 (68)
  • January 2022 (77)
  • December 2021 (75)
  • November 2021 (72)
  • October 2021 (75)
  • September 2021 (76)
  • August 2021 (75)
  • July 2021 (75)
  • June 2021 (71)
  • May 2021 (80)
  • April 2021 (79)
  • March 2021 (77)
  • February 2021 (75)
  • January 2021 (75)
  • December 2020 (77)
  • November 2020 (84)
  • October 2020 (81)
  • September 2020 (79)
  • August 2020 (103)
  • July 2020 (81)
  • June 2020 (78)
  • May 2020 (78)
  • April 2020 (81)
  • March 2020 (86)
  • February 2020 (77)
  • January 2020 (86)
  • December 2019 (82)
  • November 2019 (74)
  • October 2019 (89)
  • September 2019 (80)
  • August 2019 (91)
  • July 2019 (95)
  • June 2019 (88)
  • May 2019 (91)
  • April 2019 (79)
  • March 2019 (78)
  • February 2019 (71)
  • January 2019 (69)
  • December 2018 (79)
  • November 2018 (71)
  • October 2018 (78)
  • September 2018 (76)
  • August 2018 (78)
  • July 2018 (76)
  • June 2018 (77)
  • May 2018 (71)
  • April 2018 (67)
  • March 2018 (73)
  • February 2018 (67)
  • January 2018 (83)
  • December 2017 (94)
  • November 2017 (73)
  • October 2017 (86)
  • September 2017 (92)
  • August 2017 (69)
  • July 2017 (81)
  • June 2017 (76)
  • May 2017 (90)
  • April 2017 (76)
  • March 2017 (79)
  • February 2017 (65)
  • January 2017 (76)
  • December 2016 (75)
  • November 2016 (68)
  • October 2016 (76)
  • September 2016 (78)
  • August 2016 (70)
  • July 2016 (74)
  • June 2016 (66)
  • May 2016 (71)
  • April 2016 (67)
  • March 2016 (71)
  • February 2016 (68)
  • January 2016 (90)
  • December 2015 (96)
  • November 2015 (103)
  • October 2015 (119)
  • September 2015 (115)
  • August 2015 (117)
  • July 2015 (117)
  • June 2015 (105)
  • May 2015 (111)
  • April 2015 (119)
  • March 2015 (69)
  • February 2015 (54)
  • January 2015 (39)

Tags

APFS Apple AppleScript Apple silicon backup Big Sur Blake bug Catalina Consolation Console diagnosis Disk Utility Doré El Capitan extended attributes Finder firmware Gatekeeper Gérôme HFS+ High Sierra history of painting iCloud Impressionism iOS landscape LockRattler log logs M1 Mac Mac history macOS macOS 10.12 macOS 10.13 macOS 10.14 macOS 10.15 macOS 11 macOS 12 macOS 13 malware Mojave Monet Monterey Moreau MRT myth narrative OS X Ovid painting Pissarro Poussin privacy realism Renoir riddle Rubens Sargent scripting security Sierra SilentKnight SSD Swift symbolism Time Machine Turner update upgrade Ventura xattr Xcode XProtect

Statistics

  • 13,787,171 hits
Blog at WordPress.com.
Footer navigation
  • About & Contact
  • Macs
  • Painting
  • Language
  • Tech
  • Life
  • General
  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • Painting topics
  • Hieronymus Bosch
  • English language
  • LockRattler: 10.12 Sierra
  • LockRattler: 10.13 High Sierra
  • LockRattler: 10.11 El Capitan
  • Updates: El Capitan
  • Updates: Sierra, High Sierra, Mojave, Catalina, Big Sur
  • LockRattler: 10.14 Mojave
  • SilentKnight, silnite, LockRattler, SystHist & Scrub
  • DelightEd & Podofyllin
  • xattred, Metamer, Sandstrip & xattr tools
  • 32-bitCheck & ArchiChect
  • T2M2, Ulbow, Consolation and log utilities
  • Cirrus & Bailiff
  • Taccy, Signet, Precize, Alifix, UTIutility, Sparsity, alisma
  • Revisionist & DeepTools
  • Text Utilities: Nalaprop, Dystextia and others
  • PDF
  • Keychains & Permissions
  • LockRattler: 10.15 Catalina
  • Updates
  • Spundle, Cormorant, Stibium, Dintch, Fintch and cintch
  • Long Reads
  • Mac Troubleshooting Summary
  • LockRattler: 11.0 Big Sur
  • M1 & M2 Macs
  • Mints: a multifunction utility
  • LockRattler: 12.x Monterey
  • VisualLookUpTest
  • Virtualisation on Apple silicon
  • LockRattler: 13.x Ventura
Secondary navigation
  • Search

Post navigation

Danseuses: 2 The social message
Changing Stories: Ovid’s Metamorphoses on canvas, 38 Cephalus and Procris

Begin typing your search above and press return to search. Press Esc to cancel.

  • Follow Following
    • The Eclectic Light Company
    • Join 3,133 other followers
    • Already have a WordPress.com account? Log in now.
    • The Eclectic Light Company
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: