How to set (restore) the com.apple.quarantine attribute?
https://apple.stackexchange.com/questions/256625
-
27-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
There are questions with good answers that explain how to remove the com.apple.quarantine extended attribute but I was wondering how does one restore / set it back again?
I tried this:
xattr -w com.apple.quarantine $VALUE /Applications/AnApp.app
but apparently not knowing what attribute's value should be this achieves nothing.
I guess it is all about the attribute's value, which is of the following format:
com.apple.quarantine: 0061;53822fd4;Google\x20Chrome;C1022EC2-E1B2-4896-AF74-B68F4BF97779
What I want to do is make Gatekeeper ask me again whether I want to run this app or file, or not. Restore the same behavior as if the file was just downloaded from the Internet and it is run for the first time.
Solution
You can copy an existing com.apple.quarantine attribute of an arbitrary file to a proxy file and then apply it to arbitrary other files. If you open certain file types (e.g. .txt files) the quarantine attribute will be ignored though.
Example:
xattr -p com.apple.quarantine /Users/user/dnscrypt-osxclient-1.0.12.dmg > quarantine.attr
xattr -w com.apple.quarantine "`cat quarantine.attr`" test.command
This will apply the data gathered from the .dmg to the .command file - including download date and download app of the original dmg file. The original download date/app of the .command won't be restored though.
Source: Using xattr to set the Mac OSX quarantine property
Format of the quarantine attribute:
flag;date;app_name;UUID;
- at least 0001-0003 rises the "Do you really want to open this file..." dialog, but 0062 doesn't.
- date (in Unix hexadecimal timestamp at least 00000000-1c000000 are unknown dates, an early date which works is 1d000000: 02 Jun 1985 05:47:44 GMT)
- app (any app name allowed)
- A UUID related with a file download which can be found in /Users/user/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 (obviously facultative)
So using 0001;55555555;Klanomathiner; in the proxy file mentioned above and applying it to a file (in the example test.command) will rise:
or 0001;66666666;A Cyborg from the future;
After opening the file the first "flag" will be set to 0041 and reopening it won't rise anything.
With some bash/SQL-magic you may even recover the original UUID and the download date/app by querying for the file name in the sqlite database - which the file com.apple.LaunchServices.QuarantineEventsV2 represents - and restore the original quarantine attribute. But I'm too lazy to draw this up now. Someone else has done similar/related work already:
Read com.apple.quarantine
/usr/bin/xattr -p com.apple.quarantine "${file}"
Set com.apple.quarantine
application="cURL"
date=$(printf %x $(date +%s))
uuid=$(/usr/bin/uuidgen)
/usr/bin/xattr -w com.apple.quarantine "0002;${date};${application};${uuid}" "${file}"
Insert UUID into Database
download_url="http://example.com/file.zip"
date=$(($(date +%s) - 978307200))
/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "INSERT INTO \"LSQuarantineEvent\" VALUES('${uuid}',${date},NULL,'${application}','${download_url}',NULL,NULL,0,NULL,'${url}',NULL);"
Check if UUID exists in Database
/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT * FROM LSQuarantineEvent WHERE LSQuarantineEventIdentifier == '${uuid}'"
