Quarantine, Translocation, and Preference Panes

**Quarantine, Translocation, and Preference Panes**

by James W. Walker
31 May 2024

# Quarantine When a file is downloaded by a web browser or email client, an extended attribute of type `com.apple.quarantine` is attached to it. You can view this attribute at the command line as follows, ``` xattr -p com.apple.quarantine path-to-file ``` producing output similar to: ``` 0083;665a3b74;Safari;39DF211A-EBF4-4ADD-A049-85801D70E2BC ``` The first 4 characters are hexadecimal characters encoding 16 undocumented bit flags. If the downloaded file happens to be a zip archive or disk image, the quarantine attribute is inherited by the contents. That is, if you decompress a zip, those items are assigned the same quarantine attribute. If you move a file from the original location where unzipping put it, or if you copy a file out of a disk image, then the `0100` bit gets set in the quarantine attribute. For example, if the quarantine attribute originally started with `0083`, now it starts with `0183`. So it appears that the `0100` bit means that the item was moved or copied from its original location. The first time you open a quarantined app, the OS does some security check, such as checking for notarization, and even if all seems well, asks you to affirm that you want to open the app. ![First-run Dialog](../images/first-run-quarantine-dialog.png) Assuming you do go ahead and open the app, the OS sets the `0040` bit in the quarantine attribute. For instance if the attribute originally started with `0083`, now it starts with `00C3`. This flag lets the OS skip the first-run tests the next time you open the app. # App Translocation Having discussed two of the bits in the quarantine attribute, let's see how they interact. If both are set (flags like `01C3`), meaning that the app has been opened and moved or copied, then it runs normally. Something more interesting happens when an app has been opened but not moved or copied. (That is, you're running the app directly where it was unzipped, or right on the disk image.) In that case, the app is subject to "app translocation", also known as "path randomization". This means that the OS executes the app as if it was at some other random location. Ideally it shouldn't matter, but some apps may be confused by this. # Preference Panes A preference pane is a bundle of extension `.prefPane` that implements a third-party addition to the System Preferences or System Settings window. Unlike an app, a preference pane that is moved or copied does not get its "moved" flag set in the quarantine attribute. Consequently, if the preference pane bundle contains a helper app, that app will always run in a translocated state.