Verify that the app doesn’t change file extended attributes, discover why false flags result from updating apps in place, check who has been changing your preferences, and how to add App Store apps to Provenance tracking.
com.apple.provenance
A new app to check files for Providence IDs and Quarantine information, so providing info about the origin and recent edit history of those files.
In a typical ~/Documents folder, 14% of all files have a provenance xattr attached to them, that could enable the app that last modified them to be identified. Could we make use of that?
Why do so many files now have quarantine and other extended attributes, although they’re not apps, and may never have left that Mac?
New version of this GUI utility for inspecting and editing extended attributes, for High Sierra and later.
Which extended attributes are attached to downloaded archives and apps? How do they fit in with provenance tracking?
Is provenance tracking intended to make app launch times shorter despite new Gatekeeper checks, or is it trying to make it harder to cheat?
How the new tracking extended attribute is attached to apps, how it’s recorded in a security database, and how it’s checked. But for what purpose?
Ventura introduces a new extended attribute com.apple.provenance, used to mark successful clearance of quarantine. It’s protected by SIP too.
The Eclectic Light Company 