Last Week on My Mac: App Store graffiti

For most of us, whatever goes on in extended attributes is something of a mystery. They’re deep-down internal things that we seldom get any glimpse of, and when they play up, we’re just bamboozled. A case in point was in High Sierra, when some documents started misbehaving. They looked perfectly good, and used to work before, then all of a sudden apps – even Apple’s own – started complaining that they were broken, claiming weird errors such as incorrect permissions when their permissions seemed fine.

A few intrepid users discovered that quarantine flags were appearing on these troublesome files. This was clearly an error or bug, because the files in question had never been near the Internet, so couldn’t have been placed in quarantine for that. Clearing those spurious quarantine flags seemed to solve the problem, though.

Although never particularly common, and certainly not widespread, this problem has continued into Mojave, it would appear. When a user asked me what these quarantine flags were doing, and how to disable their proliferation, I was simultaneously baffled and alarmed to find them all over my files too. It was (as ever) the omniscient Jeff Johnson who pointed me in the right direction, to the sandbox.

A little experimentation demonstrated how just opening some files with an app which runs in a sandbox attaches a quarantine flag to them. A great many Macs running Mojave use Apple’s bundled Preview as their default app for various files including PDF, JPEG and other image formats. Each time that it opens those, even if you don’t save the file, Preview tries to write yet another quarantine flag to the file.

Quarantine flags are barely documented by Apple. There’s brief mention in its developer documentation on URLResourceValues, which simply refers to a header file:
“The quarantine properties as defined in LSQuarantine.h. To remove quarantine information from a file, pass nil as the value when setting this property.”

LSQuarantine.h provides a little more detail, but no explanation, nor any reference to their use in sandboxing. It gives a list of quarantine types, which includes values to indicate web downloads, email attachments, and others, but doesn’t include “LSQuarantineTypeSandboxed” which is that used by these spurious flags. As that header file bears a copyright of 2003-2012, it’s quite possible that it’s just so woefully out of date that it precedes the introduction of this type of quarantine flag.

When writing about these spurious quarantine flags at the start of the week, I suggested that the best solution might be to strip them, at least those written as a result of sandboxing, recognising that they may soon be rewritten when that file is next opened by a sandboxed app. I’m still concerned that this aberrant behaviour might be important in some way, but as sandboxed apps continue to work fine with unflagged files, these don’t appear to be important.

These flags clearly aren’t about the established quarantine process. They don’t carry a UUID which refers to their entry in the Quarantine database, and user experience is that they don’t alter security checks – including those by XProtect – on the files to which they’re attached. Indeed, in some cases quite the opposite, as users have reported when QuickTime Player keeps attaching them to movies it plays.

As Apple steadfastly refuses to document quarantine flags and their behaviour properly, the only answer is to see whether stripping these spurious quarantine flags has any adverse effect when performed on a large scale. I can’t see a utility that will do this conveniently, so coming very shortly here will be the first test version of Sandstrip, which will do just that.

I’m also going to add a more general feature to strip extended attribute types from files and folders in my utility xattred.

If you’ve been experiencing problems opening files which have had these spurious quarantine flags attached, or just want to reclaim some disk space, Sandstrip should provide a simple solution for Sierra, High Sierra, and Mojave. I’ll be interested to know how you get on with it, and whether removing these flags has any adverse or beneficial effects.