Verify that the app doesn’t change file extended attributes, discover why false flags result from updating apps in place, check who has been changing your preferences, and how to add App Store apps to Provenance tracking.
com.apple.quarantine
A new app to check files for Providence IDs and Quarantine information, so providing info about the origin and recent edit history of those files.
Why do so many files now have quarantine and other extended attributes, although they’re not apps, and may never have left that Mac?
It has often been assumed that App Store apps don’t undergo app translocation. That isn’t true: here’s an example of one that gets stuck in eternal translocation because it comes with an unwanted gift.
Gatekeeper may decide to run a new app from a random location, in translocation. The rules for this are explained, and how to ensure that doesn’t affect your apps.
New version of this GUI utility for inspecting and editing extended attributes, for High Sierra and later.
Which extended attributes are attached to downloaded archives and apps? How do they fit in with provenance tracking?
There’s more to the quarantine flag, as it’s not binary on/off, and app translocation can trap even notarized applications if you don’t move them right.
Quarantine flags first appeared in 2007. This explains how they work, what they do, and the differences between app and document quarantine.
Most quarantine flags in your Mac aren’t on apps but documents. Details of how they’re added, what info they contain, and what they do.
The Eclectic Light Company 