“Disabling” Launch Services File Quarantine

Dan Benjamin of The Talk Show fame posted a general inquiry to the Twitterverse on how to disable the Leopard open confirmation dialog that comes up when you attempt to access a recently downloaded file.

This dialog is a one of Leopard’s new security features called “File Quarantine” and is primarily designed to protect users from trojan horse attacks. Any application that may download file content from the Internet can tag them as being “quarantined” to indicate that the it may be from an untrustworthy source. This is done simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from.

In OS X, the majority of user-space files are opened via Launch Services. When an open event is triggered (i.e. by double-clicking on the file) the operating system checks to see if the file appears to be an application, script, or other executable file type. If that is the case, Launch Services will display an alert asking the user to confirm whether the file is some kind of application. If/once the file is opened, the quarantine properties are automatically cleared by Launch Services if the user has write access to the file.

The Gory Details

You can see this in action if you’re willing to brave the Terminal. Go ahead and download some application from the internet, say Bean 1.0 (the minimalist document editor which released version 1.0 yesterday). Open up a Terminal prompt and type:

xattr -l Downloads/Bean-Install.dmg

xattr is a command that can perform operations on extended file attributes that are normally hidden from the GUI side of OS X.

After running that command – which lists these attributes – you’ll see some very unfriendly output that looks like this (main items we care about have been highlighted:

com.apple.diskimages.recentcksum: i:4803338 on 26E026C0-FD2C-3745-8A89-3F2157D5B176 @ 1206470700 - CRC32:$E2826548
0000   62 70 6C 69 73 74 30 30 A2 01 02 5F 10 31 68 74    bplist00..._.1ht
0010   74 70 3A 2F 2F 77 77 77 2E 62 65 61 6E 2D 6F 73    tp://www.bean-os
0020   78 2E 63 6F 6D 2F 72 65 6C 65 61 73 65 73 2F 42    x.com/releases/B
0030   65 61 6E 2D 49 6E 73 74 61 6C 6C 2E 64 6D 67 5F    ean-Install.dmg_
0040   10 2B 68 74 74 70 3A 2F 2F 6D 61 63 75 70 64 61    .+http://macupda
0050   74 65 2E 63 6F 6D 2F 69 6E 66 6F 2E 70 68 70 2F    te.com/info.php/
0060   69 64 2F 32 34 38 38 31 2F 62 65 61 6E 08 0B 3F    id/24881/bean..?
0070   00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 03    ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D    ...............m

com.apple.quarantine: 0000;47ea606e;Safari;569BD03D-469D-4546-92FF-83C0F3669A07|com.apple.Safari

  • com.apple.diskimages.recentcksum” has the checksum of the disk image which is used in verifying the integrity of the file.
  • com.apple.metadata:kMDItemWhereFroms” stores the URL where the file was downloaded from.
  • com.apple.quarantine” – however – is the entry that causes Launch Services to generate the confirmation dialog

The only way to prevent this dialog from appearing is to remove this attribute, which can easily be done by doing the following from the Terminal:

xattr -d com.apple.quarantine Downloads/Bean-Install.dmg

This is not a practical solution as it would be much easier to just click “OK” and be done with the dialog rather than go through this series of command line gyrations.

A More Elegant Solution

If you are determined to bypass this built-in security feature (which I highly caution against) then you may be interested in solution developed by Henrik and available over at The Pug Automatic. It involves an AppleScript that performs recursive “xattr -d‘s” and is then attached to key folders – like “Downloads” – as a Folder Action. Any time files are added to the folder, the script will ensure that all quarantine values are unset, freeing you from having to expend precious energy and human compute cycles to evaluate a small dialog and click “OK”.

The script/action combination works well (I tried it and then removed it), but if you know of another means to accomplish this task (a hidden “defaults” setting, perhaps) or have more questions on File Quarantine (or other Leopard security features), please drop a note in the comments.

You're subscribed! If you like, you can update your settings


Comments have been disabled for this post