23 Comments

Summary:

Dan Benjamin of The Talk Show fame posted a general inquiry to the Twitterverse on how to disable the Leopard open confirmation dialog that comes up when you attempt to access a recently downloaded file. This dialog is a one of Leopard’s new security features called […]

Dan Benjamin of The Talk Show fame posted a general inquiry to the Twitterverse on how to disable the Leopard open confirmation dialog that comes up when you attempt to access a recently downloaded file.

This dialog is a one of Leopard’s new security features called “File Quarantine” and is primarily designed to protect users from trojan horse attacks. Any application that may download file content from the Internet can tag them as being “quarantined” to indicate that the it may be from an untrustworthy source. This is done simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from.

In OS X, the majority of user-space files are opened via Launch Services. When an open event is triggered (i.e. by double-clicking on the file) the operating system checks to see if the file appears to be an application, script, or other executable file type. If that is the case, Launch Services will display an alert asking the user to confirm whether the file is some kind of application. If/once the file is opened, the quarantine properties are automatically cleared by Launch Services if the user has write access to the file.

The Gory Details

You can see this in action if you’re willing to brave the Terminal. Go ahead and download some application from the internet, say Bean 1.0 (the minimalist document editor which released version 1.0 yesterday). Open up a Terminal prompt and type:

xattr -l Downloads/Bean-Install.dmg

xattr is a command that can perform operations on extended file attributes that are normally hidden from the GUI side of OS X.

After running that command – which lists these attributes – you’ll see some very unfriendly output that looks like this (main items we care about have been highlighted:

com.apple.diskimages.recentcksum: i:4803338 on 26E026C0-FD2C-3745-8A89-3F2157D5B176 @ 1206470700 - CRC32:$E2826548
com.apple.metadata:kMDItemWhereFroms:
0000   62 70 6C 69 73 74 30 30 A2 01 02 5F 10 31 68 74    bplist00..._.1ht
0010   74 70 3A 2F 2F 77 77 77 2E 62 65 61 6E 2D 6F 73    tp://www.bean-os
0020   78 2E 63 6F 6D 2F 72 65 6C 65 61 73 65 73 2F 42    x.com/releases/B
0030   65 61 6E 2D 49 6E 73 74 61 6C 6C 2E 64 6D 67 5F    ean-Install.dmg_
0040   10 2B 68 74 74 70 3A 2F 2F 6D 61 63 75 70 64 61    .+http://macupda
0050   74 65 2E 63 6F 6D 2F 69 6E 66 6F 2E 70 68 70 2F    te.com/info.php/
0060   69 64 2F 32 34 38 38 31 2F 62 65 61 6E 08 0B 3F    id/24881/bean..?
0070   00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 03    ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D    ...............m

com.apple.quarantine: 0000;47ea606e;Safari;569BD03D-469D-4546-92FF-83C0F3669A07|com.apple.Safari


  • com.apple.diskimages.recentcksum” has the checksum of the disk image which is used in verifying the integrity of the file.
  • com.apple.metadata:kMDItemWhereFroms” stores the URL where the file was downloaded from.
  • com.apple.quarantine” – however – is the entry that causes Launch Services to generate the confirmation dialog

The only way to prevent this dialog from appearing is to remove this attribute, which can easily be done by doing the following from the Terminal:

xattr -d com.apple.quarantine Downloads/Bean-Install.dmg

This is not a practical solution as it would be much easier to just click “OK” and be done with the dialog rather than go through this series of command line gyrations.

A More Elegant Solution

If you are determined to bypass this built-in security feature (which I highly caution against) then you may be interested in solution developed by Henrik and available over at The Pug Automatic. It involves an AppleScript that performs recursive “xattr -d‘s” and is then attached to key folders – like “Downloads” – as a Folder Action. Any time files are added to the folder, the script will ensure that all quarantine values are unset, freeing you from having to expend precious energy and human compute cycles to evaluate a small dialog and click “OK”.

The script/action combination works well (I tried it and then removed it), but if you know of another means to accomplish this task (a hidden “defaults” setting, perhaps) or have more questions on File Quarantine (or other Leopard security features), please drop a note in the comments.

You’re subscribed! If you like, you can update your settings

  1. What about a way to do it within the downloads folder by file type, so only downloaded .DMG files would be un-quarantined?

  2. It’s probably worth noting that at least for Cocoa apps, if the developer code signs the application, this prompt is avoided, as is the one about giving access to keychain entries.

  3. @Dan: the script should be pretty easy to tweak. If you really want that option, let me know mailto: first @ last . net

    @Justin: Very cool. Really good info. As I’ve said when working with Microsoft devs w/r/t code-signing: I just hope development teams have a good way to handle this so that keys don’t make it out of their control w/o knowing. Code-signing apps is not as simple as it sounds when you factor in employees leaving and how you integrate it into your build processes.

  4. Apple provides the mechanism to exclude files from being quarantined by file type. Read this article about it:

    http://mymacinations.com/2008/02/06/changing-the-systems-default-settings-for-html-files-safe/

  5. @John: I’ve created the “com.apple.DownloadAssessment.plist” file and added:

    public.disk-image
    public.archive
    public.item
    public.content
    public.data
    public.executable
    com.apple.bundle
    com.apple.application-file

    to it and re-started Safari and download dmgs and still receive the “are you sure” dialog from Launch Services. This can definitely be me missing something, tho. Anything else I need to do?

  6. There is a list of applications whose files are automatically quarentained by the system. Take a look at: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Resources/Exceptions.plist

    Obviously, this does not prevent applications from quarantining themselves (as Safari does).

  7. make sure that the file is valid xml and then you need to log out and log back in.

    Although, honestly, .executable, .bundle and .application-file make for a very unwise set up.

  8. Note for those disabling quarantine:
    The purpose of this functionality is one last line of defense against trojans such as OSX.Leap.A.. If you disable quarantine, you will get no warning if you download an item that appears to be an image or PDF but is actually a malicious application.

  9. Apple’s answer to Oompa is a nag prompt? Hilarious.

    Anyway, when you get tired of the nagging:

    find . -print0 | xargs -0 ~/Applications/etc/xabatch ~/Applications/etc/com.apple.xabatch {}

  10. Whoops, that’s using the ACP.

    find . -print0 | xargs -0 xattr -d com.apple.quarantine

Comments have been disabled for this post