hoakley September 9, 2022 Macs, Technology

App first run, quarantine and translocation

A simple account of what happens when you first run an app you have just downloaded runs something like:

As the app has its quarantine flag set, it undergoes full first run checks by Gatekeeper.
The app undergoes a full signature check, XProtect scan, and its notarization is checked.
If they’re OK and it’s notarized correctly, you’re prompted to decide whether to run the app.
If you say yes, the quarantine flag is cleared, and the app doesn’t have to go through first run checks again.

As I described earlier this week, that omits app translocation, should the app meet its criteria. Not only that, it treats the quarantine flag, actually an extended attribute or xattr, as having binary state, which is incorrect. The reality is rather more complex in important respects, and has also changed in the last couple of years.

A typical quarantine xattr, com.apple.quarantine, consists of a Unicode string of the form
0083;5991b778;Safari.app;BC4DFC58-0D26-460D-9688-81D119298642
with the components:

0083, the quarantine value in hexadecimal text,
5991b778, the time at which the xattr was attached, in hexadecimal text,
Safari.app, the app or agent responsible for creating the xattr (normally the downloading app too),
BC4DFC58-0D26-460D-9688-81D119298642, a UUID referring to the entry for this quarantine flag in the QuarantineEvents database

separated by semi-colons.

When you download an app, perhaps compressed into an archive, that normally has a quarantine value of 0083 attached to it in the xattr. That’s not built into macOS, and some methods of downloading such as curl can obtain files without attaching any quarantine xattr to them. Transfer a file using AirDrop, and the quarantine value is normally 0081 instead.

Quarantine xattrs are sticky due to the way they’re normally respected. When Archive Utility unpacks and decompresses a file with a quarantine xattr, it propagates that xattr to all the resulting files. So an app decompressed from a Zip archive will bear the same quarantine value, on each of its files and folders. Not all decompression utilities follow that, but all the more popular ones do.

Once decompressed from its download, if you follow my advice and move that app to a different folder, such as one of the standard Applications folders, when you run it the normal first run sequence takes place, much as described at the top. The quarantine value is then set to 01c3, and no further first run checks are performed on that app.

If you ignore my advice and run the app in the same folder, it’s translocated and undergoes its first run in a random directory buried deep in hidden folders. That translocated app still undergoes all the normal first run checks, but there are two important differences:

The quarantine value on the original app (not its translocated copy) is changed not to 01c3, but only to 00c3, sufficient to dodge the dialog asking you whether you want to run the app.
Next time the app is run from that same folder, it’s run in translocation again, and can only escape future translocation if it’s moved out of its original folder and run again.

Over the years, macOS has used the quarantine value in subtly different ways. It now appears that, to escape perpetual translocation, the high order bit must be set, turning the first byte given from 00 to 01. That won’t be done so long as the app hasn’t been moved from its original folder, under the translocation rules.

One popular workaround used by developers to get out of app translocation is to strip the quarantine xattr completely. Provided that’s done after first run checks have been completed, that seems fine, but it’s bizarre that it should be necessary to undo one security mechanism to cope better with another. However, as the only other way to escape translocation jail is to move the app to a different location, there’s no really good solution. As a process, app translocation doesn’t offer any way ahead.

Another important point to note here is that what stops translocation isn’t a change in the full path to the original app, merely the folder in which the app is located. For example, if you download and decompress XProCheck, you’ll see it comes in a folder named XProCheck10. If you move that folder to another folder, even /Applications, and run XProCheck within it, then it will still be translocated. The moment you move the app out of that into a different folder, translocation will cease, and its quarantine value will be set to the magic 01c3. It will finally have completed all its first run checks.

There’s one last thing too. In the past, when quarantine flags were cleared, every file and folder inside the app had its quarantine flag cleared. That doesn’t appear to be the case in Monterey, as only the com.apple.quarantine xattr on the .app bundle folder is cleared now, while those internal to the app are left at 0083.

When Apple introduced app translocation six years ago, apps were very different. Many weren’t even signed, and there was no such thing as notarization. It seems strange that, despite having hardened runtimes, having been scanned for malware by Apple, and been notarized, those same rules should still apply to modern apps distributed outside the App Store.

16Comments

Add yours

1

bwillius on September 9, 2022 at 7:40 am

I’ve added a check for translocation for my application. It’s a simple check if the path of the app starts with /private/.

A translocated app can work perfectly fine. LittleSnitch rules aren’t permanent. The biggest problem with translocated apps usually comes with loading of files next to the app like plugins.

LikeLiked by 1 person
- 2
  
  hoakley on September 9, 2022 at 11:03 am
  
  Thank you.
  My frustration here is that I routinely run my own apps in translocation, and have never seen a problem. They don’t load other files like plugins, but are straightforward self-contained AppKit apps. Yet some users report crashes in translocation. As few users are aware of translocation, they don’t know the obvious solution, and assume that it’s my app’s fault. Given that those apps are notarized, thus ‘checked by Apple for malicious software’, and using the hardened runtime, why should they need to undergo translocation in the first place?
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Jon on September 9, 2022 at 11:31 am
    
    Wild guess as to why your signed and notarized app gets translocated: perhaps these users answered “no” the first time they were asked if they want to run the app. That could trigger a change to the quarantine xattr, and the change could have a side effect of forcing translocation if the user runs the app later by answering “yes”.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 9, 2022 at 10:15 pm
      
      Thank you.
      No – the rules are fairly simple, and apply irrespective of whether an app is signed or notarized (which is odd): if you run the app for the first time in the same folder that it ‘arrived’ in, then it will be translocated. If you move it first, it won’t.
      If you cancel that first run by declining the invitation to open it in the dialog, all that happens is the quarantine xattr remains unaltered, at 0083, and the next time you try to run it, it’s the same as a first run.
      If you accept the app on its first run but don’t move it from that folder, then the next time you run it, although it doesn’t undergo first run checks, it’s still translocated, as it will be every time it’s run until either the app is moved from that folder, or the quarantine xattr is removed altogether.
      Howard.
      
      LikeLike
5

Joss on September 9, 2022 at 11:28 am

I’m running a little menu bar helper app called Mountain by appgineers (Intel only). When set to “notify when volume becomes available”, I can immediately detect a translocation, because it’s basically the mounting of a new volume with a recognizable volume naming pattern. Problem is that the app hasn’t been updated for a long time & might be abandoned, so when I switch to Apple Silicon at some point, I’ll need a new solution. (I also bought Jettison by St. Clair Software, but sadly it’s lacking this kind of notification functionality.) But I also have the great app EventScripts by Mousedown Software, and it allows me to run scripts on a number of system events, incl. when a volume is mounted. So this could be my workaround: just check the path for /private in the script, or just the volume naming pattern, and notify.

LikeLiked by 1 person
- 6
  
  hoakley on September 9, 2022 at 10:09 pm
  
  Thank you.
  As a user, the simple thing to do is just move the app to a different folder before running it the first time.
  Howard.
  
  LikeLike
  - 7
    
    Joss on September 10, 2022 at 10:34 am
    
    This is true. In my setup, however, I do need a translocation notification. I remove the quarantine XA from every downloaded app, both from the original dmg/zip/pkg, then again from the app itself, because sometimes old quarantine XAs are accidentally attached to an app on a dmg volume. (Needless to say, yes, apps need to go into /Applications or preferably & if possible into ~/Applications etc.) Before launching, I then run my own scripts on the app, checking for signatures & notarization, even comparing the current SKID to the previous one (stored in a database), and checking if the certificate itself is trusted. (Nota bene: lately, some apps’ certificates are not trusted, even if the app is correctly notarized, has a chain from Apple Root CA etc.) Bottom line: I don’t (fully) trust Apple & their OS, and I always want to verify everything myself with my own automated process. Weirdly enough, with all of these additional steps, maybe once a year, an app that seems OK will be translocated, even when it’s in one of the default macOS applications paths, and then I have to manually inspect it in iTerm. So that’s why translocation notifications are important to me.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on September 10, 2022 at 5:18 pm
      
      Goodness, that all seems quite unnecessary!
      In recent versions of macOS, all this is handled thoroughly on first run. Indeed, it addresses one serious problem which you don’t appear to have considered, but spctl and codesign do: signatures remain valid after the expiration of certificates, as they have to.
      The rule for app and code signatures is that the certificate chain has to be valid at the time the code was signed. If that wasn’t the case, then (for instance) when my current app signing signature expires later this month, I’d have to rebuild, re-sign, and re-notarize every one of my apps. Hence the requirement for a secure and accurate timestamp in the signature.
      This is taken into account when you use spctl to perform a deep signature verification, but not if you separate the certificates and check them individually. And that may account for the problems you are seeing with expired Apple certificates.
      This is further complicated by the fact that distribution signatures, used for installers for instance, work differently, and their certificates must be valid at the time of installation, which is why I recently had to reissue all my command tools with installers using an updated signing certificate.
      spctl and codesign will handle them all, and more. Of course, if you strip the quarantine flag, then macOS won’t perform those checks for free, greatly increasing your work. I also have several apps, notably ArchiChect, which save you having to use the right commands, and do all this for you.
      Howard.
      
      LikeLike
  - 9
    
    Joss on September 10, 2022 at 10:41 am
    
    fyi: the command to check if a code-signing certificate (after exporting it with the codesign CLI) is trusted is: `security verify-cert -c codesign0` … if macOS doesn’t trust a certificate, it’s probably not something nefarious… it could just be that macOS keychain isn’t up-to-date. (?) But it’s part of my setup anyway.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on September 10, 2022 at 5:20 pm
      
      Does that check whether the certificate was valid at the time the app or code was signed, using the secure timestamp? I think not, in which case it will report spurious failures, I’m afraid.
      Howard.
      
      LikeLike
11

stuartjash on September 12, 2022 at 10:59 pm

Super interesting!

I think I’m getting some different results once running the .app and allowing it to pass the gatekeeper check. If I xattr -p com.apple.quarantine against the main binary, I’m seeing the quarantine value flag set to 00c3, at least in the few tests I’ve tried. Will definitely keep digging though.

LikeLiked by 1 person
- 12
  
  hoakley on September 13, 2022 at 12:42 pm
  
  Thank you.
  Howard.
  
  LikeLike
13

Joss on December 29, 2022 at 10:37 am

Last night I discovered a strange translocation incident, which might actually be a bug in macOS (Monterey). I only discovered it because I have BlockBlock by ObjectiveSee installed.

The origin was a Shortcut I had put together, because I didn’t want to buy a whole app just to read a QR Code with the iSight camera. The shortcut has four actions: (1) Take 1 photo with camera with Show Camera Preview ; (2) Save the file (variable “theQRScan”) to ~/tmp without Ask Where To Save without Subpath with Overwrite If File Exists ; (3) Run Shell Script ` zbarimg -q –raw “$1” 2>/dev/null ` with Shell zsh (default shell) with Input “theQRScan” with PassInput as arguments without Run as Administrator ; (4) Copy Shell Script Result to clipboard without Local Only without Expire At

Now, the incident happened with the selection of the Shell. I originally did not tweak those settings, and left the default selection “zsh” as is… and the shortcut worked just fine. Later on, however, I had a look at the Shell menu to see which shells I could also select, and I manually selected macOS’ default shell /bin/zsh from the list, just to be sure that the action wasn’t using /usr/local/bin/zsh which I had installed with Homebrew (for manual use in iTerm only). And then, when running the shortcut again, BlockBlock notified me that /bin/zsh was trying to execute an unnotarized script.

Selecting a different shell in the “Run Shell Script” action didn’t help. I had to delete the action from the shortcut and re-insert it, while not touching the shell menu, i.e. leaving the default selection. Very strange behavior.

LikeLiked by 1 person
- 14
  
  hoakley on December 29, 2022 at 5:49 pm
  
  That is odd. I’m also puzzled by the info from BlockBlock, as you can’t notarise a script, so that doesn’t appear to make sense. Once constant worry is whether in the course of editing the script it gained either a quarantine flag or the com.apple.macl xattr, which can play havoc with executable scripts.
  Howard.
  
  LikeLike
  - 15
    
    Joss on December 30, 2022 at 5:22 pm
    
    Very odd indeed. It seems that once you manually select a shell in the Shortcut action, macOS will translocate the shell script, even if it’s just a command one-liner you have input directly into the action, and will (in my case) also translocate the iSight photo image file, possibly recreating the access path in the translocation environment. So the whole Shortcut still works, but you always get the BlockBlock warning. If you do *not* select any shell from the Shortcuts action menu, it will run just fine without any BlockBlock warning. (Maybe the Shortcuts database in the user library contains its own copy of the default zsh which it runs “contained”?) I also did a quick test: I moved my shell command to its own shell script, expanded it a bit, then C-compiled the script with shc and code-signed it with an Apple certificate, but the result is the same: once you select a discrete shell, translocation will ensue. 🤔
    
    LikeLiked by 1 person
    - 16
      
      hoakley on December 30, 2022 at 5:46 pm
      
      This could only have been introduced into Shortcuts, then.
      App translocation only works in a limited set of circumstances, in which a quarantined app is run in the folder to which it was downloaded in the first place. It only translocates the app too, and can’t move any files it might download, although I suppose that might occur if they were saved to relative file locations.
      I don’t understand how your script is being given a quarantine flag in the first place, nor how the image file is being moved too. I presume that you have verified the paths, and the quarantine flag?
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Like this:

Related