OS X File Quarantine and Extended Attributes

April 15, 2013

OS X 10.5 introduced a file quarantine service that displays a warning when you attempt to open an item downloaded from an external source like the internet.

An item only goes into File Quarantine when the application that downloaded it marks the file. All built-in Apple applications use File Quarantine for downloaded items, this doesn’t have to be true for 3rd party applications.

The file is marked via an extended attribute called com.apple.quarantine. The result of this mark is a warning screen when you try to open the item for the first time.

TextWrangler

As soon as an Administrator clicks open the quarantine mark will be removed and the item will open. When a standard user clicks open, the item will open but the quarantine flag will remain. Hence, the next time a user tries to open the same item the warning will re-appear.

In the background the OS removes the com.apple.quarantine flag from the extended attributes of the item. There’s also a possibility to show these extended attributes in the Terminal. The result of this command shows if a file is in File Quarantine or not.

Check if file is in quarantine

You can get this information with the following command:

xattr [location of the item]

Giving you the following result :

Read xattr

The com.apple.quarantine in the screenshot means that this application is currently in File Quarantine.

Remove file from quarantine

The xattr command als gives a possibility to manually remove the File Quarantine mark:

xattr -d com.apple.quarantine [location of the item]

Read xattr

Behold. The com.apple.quarantine flag has been removed and the item is no longer in File Quarantine.