hoakley May 3, 2019 Macs, Technology

Serious flaw in macOS: quarantine can stop you from opening documents

Last week, I looked at quarantine flags on documents, and wondered what their true purpose was. I think I’ve found it: they can stop you from opening documents, even those which are known to be free of malware and have never been near the Internet. Yes, in macOS the purpose of document quarantine is to get in your way and ruin your day.

A little experiment

Find a document, any document, so long as it has a quarantine flag attached to it. This could be because it was downloaded from the Internet, or has merely been opened by a sandboxed app such as Preview. Then make a copy of it: don’t do this with the original, as by the end of this all you’ll want to with that copy is trash it, as it will drive you crazy.

Select that copy and use the Finder’s Get Info command to change the app which opens it to something other than the default for that document type. It doesn’t matter which app it is, so long as it’s not the default. Once that’s selected, and without applying this change to other documents of that type, close the Get Info dialog, and double-click on the document icon to open it using that new app.

You should see a dialog similar to that above, which refuses to let you open that document apparently because it is from an unidentified developer (not source), and your security preferences won’t allow it. None of this makes any sense, does it?

Select that document again, open the Get Info dialog, and set the app to open it back to the default, the first item in the popup menu. Close Get Info, and double-click on the document. It should open fine now. But if you ever again try to change that document’s individual setting for the app to open, you’ll find that macOS once again refuses to open it, with the same strange dialog which makes no sense at all.

Why does this happen?

To understand why this occurs, you need to know about two different ways of opening documents, and two different extended attributes (xattrs) which can become attached to them. Set your document’s app back to the non-default which caused that refusal, and this time open the non-default app and use its Open command in the File menu to open the document. Although the Finder refuses to play, you can still open that document from within the app, without generating any warnings or errors.

This is because, when you double-click a document, drag it to an app icon, etc., macOS uses LaunchServices to handle that interaction and opening. From within the app, though, LaunchServices aren’t (so) involved, and the app itself does the opening.

The more frequently-encountered xattr involved is the ‘quarantine flag’, com.apple.quarantine. This comes in two varieties for documents: a genuine form, which is essentially the same as that used for apps, and a spurious form which is attached whenever the document is opened by an app which runs in the sandbox. In this case, they both behave exactly the same.

The other xattr is less well-known, and is of type com.apple.LaunchServices.OpenWith. This is where information about a non-default app is stored, with its ID and location.

The OpenWith xattr is only attached to documents for which the user has specified a different app with which to open that document, as you did in the Get Info dialog above. For the great majority of your documents, there’s no OpenWith xattr, but once you have assigned a document a non-default app, this xattr seems to stick as tenaciously as a quarantine flag. Change that app back to the default, and the xattr isn’t removed but just changed to point to the default app instead.

That in itself could prove a problem if you were to change the default app for that document type, of course, which could leave some documents still being opened by the previous default app. I haven’t checked whether that actually happens, though. What the Finder should surely do is remove the OpenWith xattr altogether when the app is set back to the user’s default.

What’s most important here is that both xattrs are opaque to the user, who is usually blissfully unaware of their presence and content.

When you open a document inside an app, without calling on LaunchServices to handle it for you, the quarantine flag and OpenWith xattr seem to be effectively ignored: they don’t change any behaviours which are visible to the user.

Opening a document using LaunchServices, by double-clicking or dragging and dropping it, is very different. macOS then checks both the quarantine flag and the OpenWith xattr. If the latter points to the same app as the default for that document type, then regardless of the quarantine flag, the document is opened as expected; similarly, if there’s no quarantine flag, none is enforced.

But if a document has both quarantine flag and OpenWith xattr, and the app specified in the latter isn’t the default, macOS refuses that request when it’s made through LaunchServices. This results in the dialog that you see, which doesn’t make any sense because it’s actually intended for apps which can’t pass their first run tests, not for documents at all.

If the request is refused in this way, you may find the Finder’s app association in the Get Info dialog vanishes, leaving the popup blank, which is unhelpful.

How to fix it

With a growing number of documents having a quarantine flag attached, this can only become more frequent, causing more and more users increasing problems when trying to open them from the Finder, thus via LaunchServices.

The only effective ways to work around or fix this problem involve removing one of the three elements required: LaunchServices, the quarantine flag, or the OpenWith xattr. As the latter two are opaque to the user without entering the command line or using a tool such as my free xattred (from Downloads above), this isn’t simple.

The quickest workaround is to open the document from inside an app rather than relying on LaunchServices, but it’s more than just inconvenient to be unable to use the Finder and related services, and questions the very existence of macOS. A more lasting solution is to open Get Info and set the default app to open that document, but that isn’t what you want.

Removing either of the xattrs is highly effective, although that requires the command line or a third-party tool such as xattred, or my free Sandstrip (also from Downloads) which removes only spurious quarantine flags written by sandboxed apps. The snag then is that:

removing the OpenWith xattr changes the app which opens the document, and is not what you want;
removing the quarantine flag only works until a sandboxed app writes another flag to the document, and then you’re back to the square one.

Ultimate cause

macOS is clearly behaving in this way as a defence against malware, which might install an innocent-looking document but set its OpenWith xattr to ensure that it’s processed (installed or run in some way) using a third-party tool instead. However, there are several serious flaws in the way that this is currently implemented, in particular the differences in operation between app and document quarantine.

In normal circumstances, documents are left in permanent quarantine, because their flags are never unset or removed. This ensures that even many years after they were last opened by a sandboxed app, in this respect they still behave as if they had just been downloaded from the Internet.

One solution would be to change the behaviour of document quarantine, so that once a document has been opened successfully, its flag was changed to indicate that, and it was no longer treated as being in quarantine. Treating almost every document on a Mac as if it’s poised to suddenly turn malicious is a gross misjudgement. This wouldn’t be so much of a problem if sandboxed apps weren’t happily writing quarantine flags to every document that they open, even when they don’t even save that document. Such promiscuous behaviour will ultimately make opening documents from the Finder, etc., so dysfunctional as to be unreliable.

Furthermore, determining document behaviours like this through opaque metadata prevents the user from making judgements of their own on which documents to trust. It essentially deems every document untrusted for ever, which is most bizarre in comparison with the treatment of apps, which once they have passed their first run checks are so trusted that they can even have broken signatures and macOS doesn’t bat an eyelid at running them.

Many thanks to Martin, who kindly gave me the clues to find this little nightmare. He also reported the bug to Apple as ID 50305685, but I suspect this will turn out to be well-known there already.

18Comments

Add yours

1

Sebastian on May 3, 2019 at 2:30 pm

This happened to me very recently, on 10.13.6. I had long resisted moving from the old (and perfectly good) Pages ’09 to the newer version, so had Pages ’09 set as the default app for all .pages documents while keeping the new Pages app available for future purposes. With the 64-bit threat looming, I finally gave in and decided to start migrating to the newer version. I set out to do this only with new documents at first, keeping Pages ’09 as the default to safeguard all my old documents from unwanted conversion to the newer format. But since the default was to open with Pages ’09, I now had to manually set each document created with the new Pages to actually open with the new Pages. And sure enough, upon re-opening the first such document (with a simple double click in the Finder), I was greeted by the nonsensical “from an unidentified developer” message. I promptly suspected a problem with a quarantine flag, and inspecting with xattred confirmed the suspicion, though I had no idea how the file could have gotten quarantined in the first place (I myself had created it in an up-to-date Apple app only hours ago!). Indeed, removing the quarantine flag made the document open effortlessly the next time, so I thought it was a rare glitch and thought nothing further of it. Of course, after closing and trying to open the document yet another time, the message was back (as was the quarantine flag), leaving me mystified. I set the new Pages as the default for all .pages documents, but still no luck. Then I created another document in the new app, copied the contents from the ill-behaving document to it, and voilà, everything worked as expected with that one!

So, now I have a “solution” that prevents newly created documents from becoming unopenable after a simple save-and-close. Of course, this has the slight disadvantage of my whole archive of Pages ’09 documents now defaulting to opening with the newer version, which is likely to wreak all kinds of havoc on them should I forget to manually open with the old version, or not set each and every old document to specifically open with the old version. And God knows what will happen when I finally decide to convert those old documents to the new format (which, in the long run, I’ll of course be forced to)…

At least I now know, thanks to your recent articles on these issues, what the hell is going on. As to the why, well, I better not ask that question. But kudos to Apple for properly (and needlessly) wrecking yet another basic function of its OS.

LikeLike
2

Robert P. Hartle on May 3, 2019 at 4:54 pm

Huh???? Dunno where you guys come up with this stuff I have dozens of Apps including the whole Adobe Creative Cloud.. etc.. etc.. Documents from clients galore and downloaded from everywhere.. 6 year old MacBook Pro.. never run into any such Blah Blah Blah.. whatever, sounds like someone’s just making things troublesome for no good reason.

LikeLiked by 1 person
- 3
  
  hoakley on May 3, 2019 at 5:02 pm
  
  Have you tried the little experiment which I detailed at the start of this?
  What were your results?
  Howard.
  
  LikeLike
- 4
  
  Martin Wierschin on May 3, 2019 at 5:22 pm
  
  It’s not difficult to trigger this undesirable behavior, where the Finder prevents you from opening a file. If you use any sandboxed app (which is most apps these days) to save a file, and subsequently change the file’s “open with” setting in the Finder to another app, you won’t be able to open that file from the Finder. Instead you’ll just see a warning alert from Apple.
  
  LikeLiked by 1 person
5

Robert P. Hartle on May 3, 2019 at 4:59 pm

Huh???? I don’t know where you guys come up with this stuff. I have literally dozens of apps that I use every day. Documents from clients in all kinds of formats. Pages, Microsoft Word plus hundreds of docs downloaded all over the Internet. Never had any problems opening anything or documents “quarantined.” Sounds like some people like to fiddle around enough with their system to break it. Blah Blah Blah.. more like fake news.

LikeLike
- 6
  
  hoakley on May 3, 2019 at 5:03 pm
  
  That is thoroughly offensive.
  Have you tried the little experiment which I described? Have you even read this article carefully? Or are you just rubbishing someone else’s work without bothering to find out the facts?
  Howard.
  
  LikeLike
7

Martin Wierschin on May 3, 2019 at 5:18 pm

Thank you for the investigation into this problem Howard– very detailed as always!

Apple’s intentions here might be good, to prevent malicious use of the “open with” option, but it seems like this safeguard is overreaching. It seems to me it should protect against launching new or unsigned apps, not signed apps the user has previously launched.

The error alert is certainly confusing, considering it states something that’s flat untrue. The app is *not* from an unidentified developer. I had previously communicated with several users of my app after they encountered this alert. It’s completely misleading and I was unable to suggest any kind of solution, until recently after I discovered that “open with” customization was a factor.

LikeLiked by 1 person
8

Sebastian on May 3, 2019 at 5:48 pm

Well, in this case the alert is not erroneous because the app is not from an unidentified developer but because the file in question is not an app at all. It has also never been downloaded from anywhere; nor does it even have a developer. 😉 It seems pretty obvious that Apple, in addition to making a mess of the quarantine system as far as documents are concerned, has simply reused an existing dialog even though it has no relevance whatsoever for the actual “issue”.

LikeLiked by 1 person
9

kext on May 6, 2019 at 12:49 pm

Really??
Just click “Open Anyway” in System Preferences > Security & Privacy for each files types.

See you later.

kext

LikeLike
- 10
  
  hoakley on May 6, 2019 at 12:52 pm
  
  You have already posted this comment elsewhere, but haven’t explained where this mysterious “Open Anyway” option is in that pane. It’s news to me, but then I’ve only been using Mojave for 11 months.
  So please tell us all, where is this magic solution?
  Howard.
  
  LikeLike
  - 11
    
    kext on May 6, 2019 at 1:01 pm
    
    System Preferences > Security & Privacy
    this is my screen https://i.imgur.com/k6gWwqi.png
    
    LikeLiked by 1 person
    - 12
      
      hoakley on May 6, 2019 at 1:05 pm
      
      Which version of macOS are you running? That lowest option isn’t available in 10.14 at least as far as 10.14.4.
      Howard.
      
      LikeLike
  - 13
    
    kext on May 6, 2019 at 1:23 pm
    
    ehm…
    When you view that GateKeeper alert, “Open Anyway” compare it in System Preferences > Security & Privacy. This screen is under Mojave https://i.imgur.com/SI34jON.jpg
    
    kext
    
    See you later.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on May 6, 2019 at 3:35 pm
      
      Thank you so much – with the help of an email from Sebastian I know see this workaround.
      Where did you see this documented, please?
      I will be writing in detail about this shortly – I think you’ll find Sandstrip or Pratique are better solutions.
      Howard.
      
      LikeLike
  - 15
    
    kext on May 6, 2019 at 4:08 pm
    
    “Where did you see this documented, please?”
    I know it has existed since OS X 10.8 Mountain Lion.. So seeing the warning with Gatekeeper icon, I went to that panel..
    
    kext
    
    LikeLiked by 1 person
16

Michael Tsai - Blog - Quarantine: Apps and Documents on May 6, 2019 at 8:50 pm

[…] Howard Oakley: […]

LikeLike
17

Sebastian on July 29, 2019 at 2:20 pm

Nothing fundamentally new, but… I just had this happen to a video file. I opened it, the app’s dock icon started bouncing, I got a “Verifying xyz.mp4….” progress bar popup (!), and after 10 seconds or so, the dreaded “is from an unidentified developer” message appeared, blocking me from actually playing the video.

Funny thing is, I had never even touched this file before, let alone saved it. It was set to open with a different app than the default video player, but I had never set it so myself. The file had come via Air Drop from someone else’s computer, though they didn’t even have the app it was set to open with. Yet sure enough, changing “Open with” to the (my?) default app restored “normal” behavior. And xattred of course showed a quarantine flag. I guess that must have been attached when the file was received via Air Drop.

Sure, this is basically just the already-established behavior in a case equivalent to that of a downloaded video file, but it does emphasize yet again the absurdity of the whole issue.

(All still on 10.13.6.)

LikeLiked by 1 person
- 18
  
  hoakley on July 29, 2019 at 7:09 pm
  
  Thank you – yes, this the ‘feature’ or bug at work.
  AirDrop does add quarantine flags, and is one of Apple’s recommend methods for developers to check that their apps get through first run properly.
  Howard.
  
  LikeLike