xattr: com.apple.quarantine, the quarantine flag

Type: com.apple.quarantine
Subtypes: none
Serialisation: none
Data type: UTF-8 string containing Gatekeeper score, the system time of download, the downloading app or agent, and a UUID for the event
Example: <30303833 3b353833 37316533 633b5361 66617269 2e617070 3b334239 32393643 302d4336 46342d34 3942332d 42414331 2d424342 32323946 46453744 36> «0083;58371e3c;Safari.app;3B9296C0-C6F4-49B3-BAC1-BCB229FFE7D6»
macOS: El Capitan, Sierra, High Sierra
System use: very uncommon
App use: all downloaded apps
Document use: common, notably Zip and other archives which have been downloaded
Other usage: none

Purpose: flags requirement to perform full Gatekeeper check on downloaded app (or executable).

The UUID corresponds to an entry in the QuarantineEvents database (SQLite) at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. As of Sierra, no checking is performed on the app named as the downloading agent, and the UUID may not be checked either.

Sticky, and inherited by files within archives, etc. When unzipped, a single bit may be set in the high-order byte of the Gatekeeper score. In binary, that might be
00000001 10000011

When that app is run, Gatekeeper performs a full check on it; assuming that it passes and is authorised for use on that Mac and is then run, the Gatekeeper score would become
00000001 11100011
with two bits set: the higher-order bit indicates that it has passed the full Gatekeeper check, and the other that the app has now been run as well.

Tools: xattred, xattr

It is possible to add a quarantine flag in Terminal.

First obtain a UUID using the Terminal command
which should be suitable for pasting at the end of the xattr string, with a command like
/usr/bin/xattr -w com.apple.quarantine "0083;5991b778;Safari.app;BC4DFC58-0D26-460D-9688-81D119298642" appname.app

If that doesn’t trigger a full check, then try inserting the UUID into the QuarantineEvents database using a command of the form
/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "INSERT INTO \"LSQuarantineEvent\" VALUES('BC4DFC58-0D26-460D-9688-81D119298642',5991b778,NULL,'Safari.app','http://dummy.com/file.zip',NULL,NULL,0,NULL,'/Users/nyname/appname.app',NULL);"

Check that record for the UUID using the command
/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT * FROM LSQuarantineEvent WHERE LSQuarantineEventIdentifier == 'BC4DFC58-0D26-460D-9688-81D119298642'"

Then repeat the command to add the quarantine xattr, as above.

klanomath on StackExchange’s AskDifferent
reitermarkus and others on GitHub’s caskroom/homebrew-cask

Original page: 2017-12-10
Last modified: 2017-12-10