Quarantined documents, Pratique and Sandstrip

The quarantine ‘flag’ is a small item of metadata, an extended attribute, which was introduced with macOS 10.5 in 2007 primarily for apps and executable code, to determine which should be passed to Gatekeeper to undergo its full first run checks. Ever since, quarantine flags have also been set on other files, including documents, but until recently those have been largely ignored.

Then in Mojave users started to experience problems opening some documents using certain apps, which apparently resulted from more widespread setting of quarantine flags. As well as being applied to downloaded documents, sandboxed apps had started setting quarantine flags on every document they saved, and sometimes had merely opened. This caused problems when trying to open those documents with some other apps. For example, if Preview is set to open all PDFs by default, changing that on a single PDF could block other apps from opening it.

In response to this, I developed two utilities, Pratique and Sandstrip, which can solve these frustrating problems.

Pratique changes document (and only document) quarantine flags by setting its quarantine flag to ‘off’, indicating that quarantine has been cleared. This should be sufficient to work through any problems caused by them. It’s careful not to apply this to apps or other code bundles, so shouldn’t interfere with Gatekeeper performing full first run checks on freshly downloaded apps.

Sandstrip works differently, in that it looks to see if any quarantine flag is of the type normally applied by a sandboxed app, with the resource key kCFURLQuarantinePropertiesKey. All those that it finds it then removes completely.

In Catalina, Apple has changed this system again with its new com.apple.macl extended attribute, which is used to enforce per-document privacy protection. This is more complex, and those attributes can’t be removed so easily because they’re protected by SIP. Problems with document quarantine have changed, although all these flags can still occasionally cause trouble.

In the event that a document’s com.apple.macl attribute is giving you grief, replace the original document with a copy, as making copies unlocks SIP protection, allowing you to remove that attribute using my extended attribute utility xattred, if that’s still required.

You can find more details of these behaviours and problems in this article about document quarantine, and this one about com.apple.macl extended attributes. Pratique, Sandstrip and xattred are now all Universal Apps and available from their Product Page.

4Comments

Add yours

1

Albert Godfrind on August 29, 2020 at 7:51 am

Thanks for another interesting article and the great tools.

Coming back to my comment of the other day, it would be interesting to understand what the macOS designers think a “document” is. And going back to java: is a java library (a jar file) considered a “document” ? Like a pdf it is opened only by the java runtime and executed or used by executable code. Some java-tools also do invoke native binary executables. If PDFs can be quarantined, then it seems to me like it would make a lot of sense for jar files (or any other executable code like js for node.js, Python, etc) should also be quarantined.

I checked this and found out that pretty much all the jar libraries I have on my Mac are quarantined. Yet I don’t get any alert or request for confirmation. It may be because I allowed java full access to my Documents directory …

Albert

LikeLiked by 1 person
- 2
  
  hoakley on August 29, 2020 at 9:47 am
  
  Thank you.
  All files downloaded from the Internet using most apps, and all those transferred by AirDrop have a quarantine flag attached to them to indicate that they have come from outside that Mac.
  The behaviour I’m concerned about here isn’t that: it’s the fact that when you open a PDF using Preview, even though you don’t save that file, and it may never have been outside your Documents folder, Preview attaches a quarantine flag to it. That’s nothing to do with privacy protection, but a standard behaviour which seems the result of apps running in the sandbox.
  Howard.
  
  LikeLike
3

Maxime on September 1, 2020 at 4:58 pm

Hello,

Thanks to Pratique ! Il fut pratique ! Thank to you !

Big Sur had trouble with Desktop picture, menu bar, and dark mode. The menu bar was like a pulsar, dark- light, dark -light… and I used all options with accessibility setting.. and I surrender, and hide the menu bar… but, today, I make big clean, and… I removed the quarantine flag to my desktop pictures, and … fixed.

That is good, but fearing… cause if just a picture makes your device uncomfortable, I couldn’t imagine more risky things … ! And is impressive the aerobatic manoeuvre that macOS Big Sur did to try to keep the flight…. Apple should start to communicate seriously…

LikeLiked by 1 person
- 4
  
  hoakley on September 1, 2020 at 5:59 pm
  
  Thank you.
  Howard.
  
  LikeLike

Share this:

Related