0

I have just switched a couple of months ago from Sonoma (M1 MBPro) to Sequoia (15.3 and now 15.4.1) (M4 MBPro), and I notice that extended attributes were/are now systematically added almost everywhere (files, folders, apps).

While I don't experience any problem with that, I am curious to know why this happens. In particular, I notice that the "quarantine" metadata is added to regular files created on the desktop (not downloaded) but sometimes not ...

I have never heard of these extended attributes before and, as far as I understand, they seem to be quite common. What I just observe is that it seems that their use have been generalized in Sequoia (15.3.2+) in comparison to Sonoma (?).

Examples:

I have started to notice these "@" at the end of the permission flags for new created files or updated ones - whatever application I use: Pages, Visual Studio Code, etc.

For example here is the output for a new created file with Pages: ls -l@ test.pages

com.apple.FinderInfo 32 com.apple.iwork.documentUUID#PS 16 com.apple.lastuseddate#PS 16 com.apple.metadata:_kMDItemUserTags 42 com.apple.metadata:kMDLabel_egbunddmsty53ytn3djv6qnvty 121 com.apple.quarantine 20

Why Pages? Why this "quarantine" metadata ? (I don't see this metadata for Visual Studio Code for example)

Actually the Applications/ themselves have extended attributes (and this is probably the reason why the files have it also?).

For example, here is again the output for Pages when I run ls -l@ /Applications

com.apple.appstore.metadata 1642 com.apple.appstore.store_cohort 34 com.apple.appstore.storefront 6 com.apple.appstore.vendor_name 5 com.apple.macl 72

And I have just notice now that even my user folder (in /Users/) have some extended attributes, with this "disturbing" single output:

com.apple.quarantine 61

I have started then to be suspicious about some potential virus ... but none is detected (with "VirusBarrier Scanner" from AppStore).

Again, everything works ok so I am just interested to know if this behaviour seems normal, if other users notice the same, and of course any hint or explanation for this.

Improve this question
4
  • 1
    Metadata is how spotlights works, so there’s nothing at all concerning about com.apple.quatantine being present. What specific values in specific fields mean has evolved over time so any definitive answer needs to take into account the exact version(s) of macOS on which any specific file has encountered. What makes you think this is “highly abnormal”? If you could document your research to clarify what problem you face perhaps we can help more than my summary answer on what hopefully are relevant details that might be missed by someone that sees these for the first time. Commented May 5 at 11:00
  • Thanks for your comment and explanation. I added some more specific info about the OS version. I am not an expert, that is why I ask here, because what I observe seems unusual for me. Commented May 5 at 12:19
  • 1
    Absolutely. Thanks for documenting your research - we have nearly 300 questions on the quarantine aspect of filesystem metadata. Clearly you’re not the only one with questions. Since you’re new here, welcome! And also keep in mind, we the collective people with reputation on the site decided to make questions that boil down to “why did Apple do some thing X” as off-topic. We hope the tour helps all who are new craft questions that address a practical problem they face and not just “how come this happened” Commented May 5 at 12:56
  • You can use Folder Actions or a tool like Hazel to remove extended attributes when files are placed in directories. Commented May 6 at 14:02

1 Answer 1

Reset to default
4

Here are some potentially relevant details that may answer your underlying question here:

  1. Your OS creates many but not all of these as a routine result of the files being created or moved about the filesystem.
  2. Apple OSes (iOS, iPadOS, watchOS, visionOS, etc…) have a concept of spotlight and file metadata that goes back to before OS X (which is now called macOS).
  1. The com.apple.quarantine metadata field has been around since 2010 and has caused many people to worry that there's something wrong or they use old information to make decisions about a newer OS that is either actively harmful or at best, needless concern.
  2. Metadata on macOS is designed to contain many items without changing the actual file. The filesystem is heavily involved in storing this "data" and it may or may not be relevant for issues people report and change when the same file is stored on different types of filesystem. This metadata can be useful for classifying from where a file came, when it was last accessed, when it was "created" on some other filesystem or computer, and when it was modified last.
  3. Metadata fields are expandable, so there's no limit to what any program can decide to tack on to a file. The OS is free to use or not use these information, it's more like an empty shelf upon which all sorts of information can be stored using common access patterns to write, delete or add new keys for a specific file (and a file can be a folder or a file in the more traditional sense).
  4. If you didn't have all this metadata on your files, now that would be highly abnormal.

The link to Howard Oakley's blog Eclectic Light is excellent, as his writing is clear and exceptionally well documented relating to search, logging and quarantine flags and metadata in general.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.