Not that many years ago, it looked like extended attributes (xattrs) were going to fade away. Instead, the transition to APFS has seen them proliferate, and I’ve found myself using my free xattr editor xattred more and more often. It’s almost six years old now, and has been based on some macOS features that are destined for removal. So the time is right for a new version.

Extended attributes enable files to have a great deal more than just their data.

File objects in APFS are required to have an inode and its associated attributes, including its timestamps and permissions. Unless the file is empty, they have a file extent that sets out where their data is. They can also have xattrs, which are either of two types: self-contained xattrs can contain up to 3804 bytes of data inside them, or for larger xattrs there is a data stream, accessed through a data stream record.

This makes small xattrs, those with less than 3804 bytes of data, relatively cheap and very flexible. Among the more topical types of xattr in recent months have been:

• com.apple.quarantine, containing the quarantine settings for apps and files downloaded from the internet, transferred via AirDrop, or in many cases simply edited locally;
• com.apple.macl, containing a reference to an app that’s allowed to edit a document under privacy rules; this is notorious as it’s usually protected by the same mechanism responsible for SIP, so the xattr may not be removable;
• com.apple.provenance, a newcomer that’s used by the security subsystem in Ventura to track the provenance of apps that have cleared quarantine.

xattred lets you inspect all the xattrs for files and folders, and cut/copy/paste them. For developers who want to check that their apps can clear quarantine properly, it can add a com.apple.quarantine xattr for that purpose. It also includes support for xattr flags, which determine whether any given xattr is stripped or preserved when a file is copied between volumes, or to iCloud.

Many xattrs use property lists to store their data; xattred’s editor recognises those automatically and lets you edit their contents in a property list structure.

It has three special features that make it valuable in research:

• A Crawler that will search all the files in a directory tree and list all the xattrs it finds, or list those of a specific type. I’ve been using this to locate and investigate com.apple.provenance xattrs recently.
• A Stripper to remove all xattrs of a specific type throughout a directory tree.
• A Compare window, to compare all the xattrs between two different files.

xattred isn’t a front end to the xattr command tool, but works directly with macOS features for manipulating xattrs.

xattred version 1.4 for High Sierra and later is now available from here: xattred14
from Downloads above, from its Product Page, and via its auto-update mechanism.

I hope you find it as useful as I do.