By default, quarantine xattrs aren’t attached to new files created by an app. That behaviour is controlled by a setting in their Info.plist, and can be overridden in an Exceptions property list.
quarantine
Why do so many files now have quarantine and other extended attributes, although they’re not apps, and may never have left that Mac?
When someone reports the most recent version of Safari that will open their webarchives is 18.6, and that’s the only version that you find can’t open some webarchives. You’ll be only too familiar with the culprit.
Whether a quarantined and notarized app undergoes translocation, Tahoe doesn’t run XProtect checks to determine if it’s malicious. And how to tell when an app is running from translocation.
Notarization is now obligatory for developers, but at the same time, we’re still able to run our own apps that aren’t notarized. Here’s how that works, and why.
App launch security is built in multiple layers, and not all check are run on every launch of an app. Syspolicy plays a key role, CDHashes are now central, and XProtect scans can make checks on large apps slow.
Three malicious apps – Atomic Stealer, Genieo and XCSSET – against macOS 14.6.1, with full security, SIP disabled, and Gatekeeper disabled.
If you thought spctl disabled Gatekeeper assessments, and disabling SIP had little effect, then you might like to think again.
Details of security checks including Gatekeeper, XProtect and notarization, performed when launching an app in full security.
How is it going to be harder to run apps that haven’t been notarized in Sequoia, and does it bring any benefit in return for the inconvenience?
The Eclectic Light Company 