The other day I was messing with some files that had the extended attribute com.apple.quarantine on them. I am aware of its purpose, but I have always been curious what the properties below meant when you output its values.
E.g. when I typed in
xattr -p com.apple.quarantine xmlrpc.php
for a file that has the said xattr, I get output like this:
0083;59b926ad;Safari.app;55847AA4-5562-42A2-89A7-8FAD394B455C
What do the first 4 digits represent? i.e. 0083
Google hasn't brought up anything good and there are a few guides I found from users also trying to figure out what these numbers precisely represent.
As you're probably already aware, the quarantine flags are set when an agent (browser, mail client etc) saves a file to your machine. This is responsible for the warning that appears when you first try to open an application that was downloaded from the internet.
All this information is stored and there's a complete history for every user.
The first 4 digits are a set of flags that I expect are defined in
quarantine.h
, which appears to be a private header included in copyfile.c, within Apple's open source code.These flags represent states, such as whether the file is quarantined or not.
On closer analysis, the kernel extension
quarantine.kext
is responsible for handling this and upon disassembly, we can see the functionquarantine_get_flags
.Here's just a snippet of the disassembled kext
Note the formatting of the xattr output's first 4 flags with _sscanf(rbx, "%04x;") == 0x1)
This calls
quarantine_get_info
.We can see here that the flags denote various states of the file on the system, with vfs being the Virtual File System and vnode is the basic representation structure of a file.
As for the rest of the
xattr
output, each user has a localsqlite3
database that keeps a record of every item downloaded. Its location isThe database has just one table
LSQuarantineEvent
. You can read all the data by using thesqlite3
command in the terminalIf you filter the results (grep or alternative) you'll be able to match up the GUID that makes up the latter part of the
xattr
output and you'll see all the information about that particular download, including which agent was responsible for downloading the file and even the URL from where it was retrieved.