hoakley September 12, 2024 Macs, Technology

From quarantine to provenance: extended attributes

One of the innovative features in classic Mac OS was its use of resource forks, allowing structured metadata to be attached to any file. When Mac OS X merged that with the more traditional Unix approach adopted by NeXTSTEP, those were nearly lost. Classic Mac apps were restructured from storing most of their components, including their executable code, in their resource fork, when Mac OS X flattened those into an app bundle consisting of a hierarchy of separate files in folders, without any resources.

For the first four years of Mac OS X resource forks were reluctantly tolerated, until the solution came in 10.4 with the introduction of extended attributes, including one to contain what had previously been stored in the resource fork, which became an extended attribute or xattr with the name com.apple.ResourceFork.

All files in HFS+ and APFS (and other file systems) contain a fairly standard set of metadata known as attributes, information about a file such as its name, datestamps and permissions. Xattrs are extensions to those that contain almost any other type of metadata, the first notable xattr coming in Mac OS X 10.5, named com.apple.quarantine. That contains quarantine information for apps and other files downloaded from the internet, in a format so ancient that the quarantine flag is stored not in binary but as text.

The quarantine xattr provides a good demonstration of some of the valuable properties of xattrs: it can be attached to any file (or folder) without changing its data, and isn’t included when calculating CDHashes for code signatures. It can thus be added safely without any danger of altering the app or its code, although it does change the way in which macOS handles the code, by triggering security checks used to verify it isn’t malicious. Once those have been run, the flag inside the quarantine xattr can be changed to indicate it has been checked successfully.

Far from being a passing phase, or dying out as some had expected, xattrs have flourished since those early days. This has happened largely unseen by the user: few change anything revealed in the Finder’s Get Info dialog, although they’re used to store some forms of visible metadata such as Finder tags, and the URL used to download items from the internet. Editing xattrs is normally performed silently: you’re not made aware of changes in the quarantine xattr, and in most cases the only way to manage xattrs is to use the xattr command tool, or one of very few apps like xattred that can edit and manage them.

Examples

Among the well-known and important xattrs you can encounter are:

com.apple.quarantine the quarantine xattr, containing a quarantine flag
com.apple.rootless marks items individually protected by System Integrity Protection (SIP)
com.apple.provenance contains data about the origin of apps that have been quarantined
com.apple.metadata:kMDItemCopyright records copyright info
com.apple.metadata:kMDItemWhereFroms the origin of downloaded file as a URL
com.apple.metadata:_kMDItemUserTags Finder tags
com.apple.TextEncoding reveals text file encoding
com.apple.ResourceFork a classic Mac resource fork

Storage

In APFS and HFS+, xattrs aren’t stored with file data, nor with a file or folder’s normal attributes.

fileobjects

For smaller extended attributes up to 3,804 bytes, their data is stored with the xattr in the file system metadata. Larger extended attributes are stored as data streams, with separate records, but still separately from the file data. Apple doesn’t give a limit on the maximum size of xattrs, but they can certainly exceed 200 KB, and each file and folder can have an effectively unlimited number of them.

Persistence

Most file systems to which macOS can write either handle xattrs natively (HFS+, APFS), or macOS uses a scheme to preserve them, as in the hidden files written to FAT and ExFAT volumes. NFS is an important exception, and files copied to NFS will have all their xattrs stripped. Neither are extended attributes unique to Macs: most file systems used by Linux support them, and even Windows can at a push.

Because xattrs contain a wide range of metadata, some are treated as being ephemeral, others as persistent. Moving files with xattrs around within the same volume shouldn’t affect their xattrs, as that takes place within the same file system. Copying files to another volume, even if both use APFS, may leave some xattrs behind if they’re considered to be ephemeral.

iCloudDriveFileSummary4

The most complex situation is when a file with xattrs is moved to iCloud Drive. The Mac that originated that file is likely to retain most if not all of its xattrs, because the local copy remains within the same volume and file system. However, not all xattrs are copied up to iCloud storage, so other Macs accessing that file may only see a small selection of them. The rules for which xattrs are to be preserved during file copying, including in iCloud Drive, are baked into macOS, and the subject of the next article.

12Comments

Add yours

1

Enzo Vincenzo on September 12, 2024 at 6:57 am

Good morning Howard. But do the dot+ underscore ._ characters that macOS adds to duplicate named files when we copy files and folders to non-Apple formatted disks, contain Extended Attributes or what? Similar oddities also happen in creating .ZIP archives and perhaps at other times. The mechanism for folders should be a little different since the result changes, in Terminal, if I issue the command “dot_clean -v” (with or without sudo). I also see that deleted dot files recreate themselves if, for example, I open and edit the corresponding text file or whatever.
For example: if there is a “config.ini” file and I edit it, it recreates from scratch “._config.ini” that I had deleted
I was a bit imprecise in my description, but I think you understand what I’m referring to regarding this behavior that intrigues few, but is perhaps useful to understand since, for example, we might want to delete extended content in creating and passing a flash drive or disk to someone.
Thank you

LikeLiked by 1 person
- 2
  
  hoakley on September 12, 2024 at 8:32 am
  
  Yes, Enzo – those are the hidden files containing extended attributes for each of the items a Mac writes to non-native file systems such as ExFAT and FAT32. And they are also used to contain the same extended attributes in some compressed/archived formats.
  I’m not sure why you want to delete them, as if you do so, when you access that storage from a Mac, all the extended attributes will have vanished. I believe that you can use the BlueHarvest app to automatically stop them being created, if you feel the need.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Enzo Vincenzo on September 12, 2024 at 12:11 pm
    
    I don’t usually delete them, but I do whenever I have to share a stick or disk with Windows users.
    Several times, in fact, especially with users who are very inexperienced with computers (but to whom the vendor or friends or they themselves have enabled the viewing of hidden files), . “._Example.jpg” files or other files or extra folders, created from .ZIP archives, cause confusion… Sometimes they have phoned me saying that the computer would not open the photos or texts or whatever I had given them. Now I can’t check and I don’t want to be wrong, but sometimes ._files appear in Windows even if the option to hide invisible files and folders is activated.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 12, 2024 at 4:35 pm
      
      Ah, the delights of Windows and its users…
      Howard.
      
      LikeLiked by 2 people
5

joethewalrus on September 12, 2024 at 7:35 am

Not one to be patient for tomorrow’s article, I was intrigued by the possibility of the copyright xattr*, so i downloaded xattred in order to play around with it. Sadly, I don’t seem to be able to get it to persist from one Mac to another through iCloud syncing or through Screen Share file transfer. It does persist through a SMB share though, present both when the file is accessed over the network and in the file when it has been copied to the local hard drive. Always learning! Thank you for demystifying another piece of macOS for us.

*I provide support and advice to an elderly friend who is a prolific author and music composer. Her preference is to keep multiple Macs for dedicated tasks, at both her primary residence and at her secondary home with her son and his spouse, which is in another state. Storing copyright data like this would be right up her alley, except I know we would be forever chasing stripped xattr’s as she shuffles data around. Oh well. Not every feature is for everyone.

LikeLiked by 2 people
- 6
  
  hoakley on September 12, 2024 at 8:36 am
  
  Thank you. If you want to add informative metadata in extended attributes, then I recommend using Metamer (from the same product page as xattred) which is intended to make this easier.
  Yes, some xattrs are retained, and others aren’t, depending on the flags that I’ll explain in detail tomorrow morning. And then on Tuesday morning next week, I’ll explain how that has changed in Sequoia – with a little (pleasant) surprise!
  Howard.
  
  LikeLiked by 3 people
7

geriatricguy on September 12, 2024 at 3:07 pm

These hidden files on iCloud must take up room. It just wonder how much room they use since if you have a boat load of files uploaded to iCloud then they are taking up space that the enduser doesn’t see and Apple doesn’t let you know about.

LikeLiked by 2 people
- 8
  
  hoakley on September 12, 2024 at 4:38 pm
  
  On iCloud Drive, xattrs aren’t stored separately, but as ‘part’ of the file. Yes, they do take up space, but that’s generally small as most xattrs aren’t preserved by iCloud Drive, so don’t get synced in the first place. More details tomorrow.
  Howard.
  
  LikeLiked by 1 person
9

Paul R on September 13, 2024 at 2:23 pm

“That contains quarantine information for apps and other files downloaded from the internet, in a format so ancient that the quarantine flag is stored not in binary but as text.”

Would you be kind enough to help a non-developer understand this? I would have imaged text to be less ancient than binary (since must all be binary at some point). How do you mean this? What is the significance of this?

LikeLiked by 1 person
- 10
  
  hoakley on September 13, 2024 at 2:39 pm
  
  This is a common characteristic in some older file formats. In this case, the quarantine flag is a binary/hex number, and different positions in that binary representation mean different things. For example, when quarantine is cleared a particular binary digit is changed from 0 to 1 to ‘clear’ the flag.
  If you store the number as text of the hex, then it has to be read in, range checked to ensure that it doesn’t contain illegal characters such as G or H, then converted into binary. The effect of flipping the bit has to be worked out in terms of how it changes the text representation, and that written out to the flag. Although there are quick ways to do that, there’s plenty of scope for bugs, and it’s inefficient. There’s no good reason why the flag couldn’t be in binary in the first place, AFAIK.
  Howard.
  
  LikeLike
11

Paul R on September 13, 2024 at 2:28 pm

Also … if the xattr is not part of the checksum calculation, what stops a malicious app or actor from altering the quarantine status?

LikeLiked by 1 person
- 12
  
  hoakley on September 13, 2024 at 2:43 pm
  
  Nothing. Indeed, there’s no special protection afforded to the whole xattr, so the simple answer is to strip it, and some malware does exactly that. Quarantine remains a gentleman’s agreement: the downloading app has to attach the quarantine xattr in the first place, and there are some ways of downloading files that don’t attach one at all (although that’s slowly dying out).
  This is why macOS relies a lot less on quarantine flags now, and uses more powerful mechanisms that can’t be bypassed, such as CDHashes.
  Howard.
  
  LikeLike

·Comments are closed.

Examples

Storage

Persistence

Share this:

Related