In a typical ~/Documents folder, 14% of all files have a provenance xattr attached to them, that could enable the app that last modified them to be identified. Could we make use of that?
com.apple.provenance
Why do so many files now have quarantine and other extended attributes, although they’re not apps, and may never have left that Mac?
New version of this GUI utility for inspecting and editing extended attributes, for High Sierra and later.
Which extended attributes are attached to downloaded archives and apps? How do they fit in with provenance tracking?
Is provenance tracking intended to make app launch times shorter despite new Gatekeeper checks, or is it trying to make it harder to cheat?
How the new tracking extended attribute is attached to apps, how it’s recorded in a security database, and how it’s checked. But for what purpose?
Ventura introduces a new extended attribute com.apple.provenance, used to mark successful clearance of quarantine. It’s protected by SIP too.
The Eclectic Light Company 