AirDrop and quarantine flags

There are now many ways of moving files between your Macs, including File Sharing, iCloud Drive, and AirDrop. Each has its virtues and vices, but there are some hidden snags which you need to be aware of.

Of the three, AirDrop is by far the most convenient, when it works. Although my two current Macs sit next to one another, with Wi-Fi and Bluetooth active, sometimes selecting AirDrop in a Finder window still draws a blank. I haven’t worked out a good way of poking this to activate it, but when I do I’ll let you know.

AirDrop has a bigger problem, though: because it’s a semi-public way of pushing files of unknown pedigree onto an unsuspecting Mac (or iOS device), macOS attaches a quarantine flag to everything transferred by AirDrop. For documents that’s only a minor irritant, now that macOS so promiscuously sets quarantine flags on every document opened by a sandboxed app. It can still catch you out when you try to open that document with an app other than the default for that type.

But for apps, command tools and other forms of executable code, this is more serious. If you’ve just copied one of those across, on the receiving Mac that software is now going to trigger a full Gatekeeper first run check. If that destination system happens to be Catalina and the software should be notarized but isn’t, you could find yourself wasting time slipping it past that. For command tools in particular that can come as a complete surprise.

The quarantine flag set by AirDrop transfer isn’t quite the same as one set on a file which has been downloaded from the Internet: instead of the flag itself (the first four characters of the string shown below) being 0083 from the Internet, AirDrop sets 0081.


Just as with a file downloaded from the Internet, AirPlay transfer also adds an extended attributed, which gives details of where the item originated. This is a Property List containing the long username of the Mac from which the item originated, and its machine name.


If you transfer an app by AirDrop, when you open it, it undergoes a full Gatekeeper first run check, and in Catalina, if it’s notarized, you’ll see a modified version of the normal user consent dialog, with the AirDrop reference.


In Catalina, if the app isn’t notarized, double-clicking it will elicit the usual failure dialog, and opening it using the Finder’s Open command gives you the option to open it regardless.


This isn’t too bad for full apps, where options are easy to access, but this also triggers fun and games with any command tools which you might have transferred, as described here a couple of days ago.

AirDrop adds quarantine flags to all files transferred: apps, other executable code, command tools, archives, and documents (even plain text). As quarantine flags are ‘sticky’, you can’t work around this by sending them in a Zip archive, unless you have a way of unzipping it without propagating the quarantine flag.

I have a couple of handy and free utilities which will mark document quarantine flags as clear, or strip them altogether if you prefer, but they leave app flags alone, because of the security implications. If you want to remove quarantine flags from apps or other code, you’ll need to use my free tool xattred, or Terminal.

Of course, File Sharing and iCloud Drive don’t require quarantine flags, as they’re more tightly controlled in making connections. It will be interesting to see whether iCloud Drive sharing will change this.