xattred: a tool for setting the quarantine xattr

A couple of days ago, I posted an article about how the quarantine xattr works, and outlined a method of setting it. This was based on work by klanomath, published on StackExchange, which in turn was based on research by reitermarkus and others on GitHub’s caskroom/homebrew-cask.

I’m pleased (very pleased!) to report that I have got this method working in my little xattred tool, which is now available from this article as an alpha release.

I’ll explain in code another time, but xattred now has two buttons: one to inspect all the extended attributes (xattrs) for a file or folder, the other to add a quarantine xattr to the selected file, which should force a full Gatekeeper check when that app is opened.

Here it is, putting (a copy of) itself into quarantine.

The xattred.app has just been built in Xcode, and when inspected in xattred, has no xattrs, as is usual. I then clicked the Add quarantine xattr button and selected xattred.app (not the running copy, of course). The contents of the xattr added are then shown to the right of the button. I then clicked on the Inspect button and selected xattred.app again, so that the xattr is displayed as it was written.


The quarantine xattr added reads:

The first item, 0083, should force a full Gatekeeper check. The second is the (real) Unix system time of the ‘download’. The third identifies xattred.app as the downloading app, and is followed by a real UUID for that event.

Not only does xattred write these into the quarantine xattr, but it also enters them into the SQLite database at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. I’m unsure as to how necessary that step is, but as we’ve come this far, it’s worth doing the whole job properly.

When you now try to open that app, it should undergo the full Gatekeeper check as if it had been downloaded from a website, and display one of the standard range of dialogs – in this case confirming that it passes.


Note that the website associated with the download is example.com and thus a dummy. So long as you don’t click on the Show Web Page button, you should be OK!

When Gatekeeper’s full check has been completed successfully, and the app opened, quit it and you can then inspect its quarantine xattr again.


This now reads
with the bits in its Gatekeeper score reading 00e3, indicating that it has passed and has been run.

xattred thus spares you from having to check that your app passes a full Gatekeeper assessment by uploading and downloading it. The latest release is available in Downloads above.