How does Sonoma check an app before launch?

Most major versions of macOS bring changes to the checks made on apps before they can be launched, and Sonoma is no exception. In the light of Apple’s newly revised Platform Security Guide, and some light reading of logs, this article tries to outline how this works in Sonoma 14.4.1 for a third-party app that is correctly signed and notarized by Apple.

As launching an app these days can generate thousands of log entries in a matter of a few seconds, and there are many different scenarios and variations, this account concentrates on broad principles and skips many details. Prominent and loquacious sub-systems such as TCC and RunningBoard are largely glossed over, in an effort to tell the wood from thousands of trees.

Major features involved include:

Quarantine
LaunchServices database
CDHashes in the app’s signature and notarization ticket
App translocation
Gatekeeper assessment
XProtect direct malware and dylib scan
App first launch prompt
Provenance data.

Main features

Quarantine is set in an extended attribute attached to an app’s folder and contents. When an app is downloaded from the Internet, or transferred between Macs using AirDrop, the app responsible for transfer normally attaches an extended attribute of type com.apple.quarantine, within which is a flag indicating that quarantine is set. Apps that unarchive formats such as Zip normally propagate quarantine extended attributes to all the files they generate. Thus, the presence of a com.apple.quarantine extended attribute is a good indicator of external origin, as a result of which LaunchServices treats the app bundle as untrusted.

LaunchServices maintains a database of all app bundles that it has launched, and have thus become known to it. When an app is already detailed in one of the records in that database, the information provided is normally sufficient for its bundle to be trusted, and its checking and launch will be shortened.

As part of the process of signing an app, hashes are created for its components, and these are hashed again to form a tree of CDHashes. Sonoma uses these to check the integrity of each part of an app, by comparing freshly calculated hashes against values saved in its cache of CDHashes. Notarization tickets also consist of CDHashes, and those are compared against Apple’s records over a CloudKit connection to verify that app’s notarization status.

If a quarantined app is run from the same folder that it was first created in, that’s detected by macOS, and is normally an indication that, before it can be checked and launched, that app will be copied to a hidden folder in an unpredictable path such as /private/var/folders/x4/[random]/T/AppTranslocation/[UUID]/d/, a process known as app translocation. This can normally be avoided simply by moving the app into an Applications folder before launching it for the first time.

Gatekeeper assessments are now performed on all apps and executable code even if they’re not quarantined, although those run on code that has already been evaluated are briefer, and may consist only of checks on CDHashes without looking up the notarization ticket remotely or scanning by XProtect.

XProtect in this case refers to the on-demand check for malware against the set of static rules kept in the XProtect bundle. Those are intended to detect known malicious software, and are updated at frequent intervals. They’re different from the daily background scans performed to detect and remediate malware by XProtect Remediator, and from the third and latest form of XProtect that monitors suspicious behaviour.

When a notarized app is run for the first time and is quarantined, macOS asks the user to give their explicit consent in a dialog shown once checks have confirmed that it’s safe to run.

Later versions of macOS Ventura added a new database that tracks all apps that have been quarantined, using another extended attribute, of type com.apple.provenance. The purpose of this isn’t fully understood yet, but it may be related to the new behavioural variant of XProtect.

Check sequence

This is summarised in the simplified diagram below, derived from tracing these checks being made on several different apps, ranging from a well-known app that has been run frequently out of quarantine, to quarantined apps run in their original location and when moved into the /Applications folder.

LaunchSonomaApp1

A PDF version is available from here: LaunchSonomaApp1

The first two steps establish whether the app is already known and approved, and can be fast-tracked, or needs to be treated as untrusted and subject to more extensive assessments. That depends on whether the app is quarantined, and whether it’s already in LaunchServices’ database.

The fast track still brings a Gatekeeper assessment in every case, but when the code has already been evaluated and its CDHashes have been cached, and match, the app can be launched by RunningBoard within 0.1 seconds.

At the other extreme is an app that is unknown to LaunchServices (and its CDHashes aren’t cached), and is in quarantine. Before its Gatekeeper assessment takes place, CDHashes are copied for checking later, and the decision made whether to translocate it, if it’s being run from its original folder. It’s important to note that this isn’t the full path that’s checked: if a quarantined app arrives in a folder named Extras and that folder is moved to an Applications folder, then translocation is still expected.

Gatekeeper assessments then include a direct on-demand scan by XProtect for malware and dylibs, which may be deferred when the app is running in translocation. If those checks are completed successfully, then the user is prompted to decide whether to continue and launch the app. Only after code evaluation has been completed successfully are details of the app added to the provenance database. Typical time from the start of checks to the user prompt is around 0.5 seconds when all goes well.

Key points

All apps and executable code undergo Gatekeeper assessment, including CDHash checks.
XProtect malware and dylib scans are performed on all quarantined apps.
Online notarization checks via CloudKit are normally made on quarantined apps.
If an app is updated or changed so that it no longer matches its entry in the LaunchServices database, or its CDHashes change, then a more extensive Gatekeeper assessment is made, including XProtect scanning.
If an app is incorrectly updated or changed so that its CDHashes change but those remain associated with unchanged file inodes, then that should be detected and treated as failure to match the app’s signature.
Apps run from the same folder they arrived in are translocated before Gatekeeper assessment.
When successful, apps are now launched through RunningBoard rather than LaunchServices.

13Comments

Add yours

1

Arnaud on May 9, 2024 at 7:17 am

Nice article as usual.

While wondering what would happen if the downloaded app isn’t quarantined by the download process (e.g. you make your own app to download the app and don’t set the attribute), I looked at your diagram. As shown there, since the app isn’t quarantined and isn’t already known, it follows the same path as if it was quarantined. That would mean the quarantine flag has meanings only for re-downloaded apps that already ran on the computer.

LikeLiked by 1 person
- 2
  
  hoakley on May 9, 2024 at 5:10 pm
  
  Thank you.
  No: quarantine is one of the requirements for an app to be translocated. For instance, if you download one of my apps from here and unZip it in place, then run it, it will be translocated. If you leave it in the folder it arrived in, and move that folder to your Applications folder, then it will still be translocated. If instead you move the app from its folder in Downloads, and drop just the app into Applications (in the Finder), then it shouldn’t be translocated.
  That remains one of the major functions of quarantine.
  Howard.
  
  LikeLike
  - 3
    
    Arnaud on May 10, 2024 at 8:36 am
    
    Thanks for your reply. However, I’m not sure you got my comment correctly (probably because English isn’t my native language).
    
    What I meant was: what if the app that downloads a .dmg file doesn’t add the quarantine xattr to the downloaded .dmg? (like you program your own app, which downloads a .dmg file using CURL, and don’t add the quarantine xattr).
    
    LikeLiked by 1 person
    - 4
      
      hoakley on May 10, 2024 at 8:51 am
      
      Then that downloaded app either doesn’t have a LaunchServices record, or its CDHashes are new anyway, so it follows the path shown. That has changed over recent years: as you pointed out, XProtect checks used to be triggered only by quarantine, but now that’s not a requirement – on their first run, all apps undergo XProtect checks etc. The only thing that doesn’t happen is app translocation.
      Howard.
      
      LikeLike
5

fds on May 9, 2024 at 7:24 am

This talk of the quarantine xattr reminded me, I always wondered what the rationale behind slapping a quarantine flag on local documents once opened with local apps is.

Receiving a file from an outside source, whether via Safari, Mail, AirDrop, it makes total sense to flag any kind of document, even beyond apps, to mark them as worth treating with some extra caution. Perfectly reasonable.

But let’s say I take a screenshot on my local Mac. The resulting file nowadays gets the usual screenshot metadata xattrs, com.apple.macl, lastuseddate, but no quarantine. Then I open it in Preview, without even making any edits, and boom, now it’s got a quarantine flag from Preview. What for? What’s the point of it? It seems to have no effect, no use. Yet it’s been like this forever, ever since quarantine flags were first introduced.

LikeLiked by 1 person
- 6
  
  hoakley on May 9, 2024 at 5:12 pm
  
  Thank you.
  I too have complained about this in the past, but Apple has only added further xattrs such as com.apple.macl and com.apple.provenance since. As it doesn’t even acknowledge their existence, the chances of doing away with com.apple.quarantine on documents seem pretty slim.
  At least we know that xattrs aren’t going to be deprecated for a while!
  Howard.
  
  LikeLike
7

Brian on May 9, 2024 at 4:45 pm

Thanks Howard. Can any of your apps check and see which apps are in translocation? If an app is not in translocation, but is updated manually or automatically in a subdirectory, will it remain that way or become translocated? Thanks.

LikeLiked by 1 person
- 8
  
  hoakley on May 9, 2024 at 5:39 pm
  
  An app can test whether it’s running in translocation, and I suppose another app could inspect the path of its running process(es) to determine that, but I’m not aware of any utility that does that, unless you were to inspect the processes and files in Activity Monitor.
  The traditional requirements for an app to be translocated are that it:
  – is in quarantine when launched
  – is launched from the same folder that it was quarantined in (e.g. was unZipped into)
  – hasn’t been moved to another folder in the Finder
  – is launched by LaunchServices, i.e. run from the Finder, not Terminal.
  Update mechanisms like the popular Sparkle don’t leave any files in quarantine, so translocation won’t occur. If you drag an app manually into another folder, then it won’t be translocated as it has been moved from its point of arrival using the Finder.
  I hope that is a bit clearer.
  Howard.
  
  LikeLike
9

Steven Gold on May 9, 2024 at 8:35 pm

“Online notarization checks via CloudKit…”

What happens if the computer doesn’t have an active internet connection?

LikeLiked by 1 person
- 10
  
  hoakley on May 9, 2024 at 8:40 pm
  
  Then those checks can’t be made. As apps are normally supplied with their tickets stapled to them, macOS will do the best it can with that ticket. Revocation information is also cached locally as much as possible, but without an Internet connection current status cannot be checked.
  You can run notarised apps without any network connection at all.
  Howard
  
  LikeLike
11

citizenmatt on May 14, 2024 at 11:15 am

Nie article, thanks. Do you know if it’s possible to perform the verification silently, in the background? I have a helper app that updates a main app, and then needs to run it to complete the update, and macOS will show an intrusive “verifying” progress bar. I don’t want to circumvent the verifying, but it would be great to be able to tell the system to do it silently, and only show an error if something was wrong. Do you know any way of doing that?

LikeLiked by 1 person
- 12
  
  hoakley on May 14, 2024 at 4:35 pm
  
  AFAIK apps and users have absolutely no ability to influence such matters. Sorry.
  Howard.
  
  LikeLike
  - 13
    
    citizenmatt on May 15, 2024 at 8:03 am
    
    That’s a shame. Thanks anyway!
    
    LikeLiked by 1 person

Main features

Check sequence

Key points

Share this:

Related