Archive for May 6, 2019

Monday, May 6, 2019

Quarantine: Apps and Documents

Howard Oakley:

The quarantine flag is among the stickiest of all xattrs. When you unZip an archive which has been flagged, the xattr is normally propagated to all items which are saved from that, a behaviour which ensures that compressed apps retain their flag when uncompressed, for example. This isn’t, though, imposed by macOS, and some tools and utilities which can decompress archives may not follow this behaviour; the bundled Archive Utility does, though.

Howard Oakley:

macOS has been attaching quarantine flags, in the form of the extended attribute, to documents for as long as it has been to apps, since macOS 10.5 in 2007, as part of the the same process. If a webpage or other file is downloaded from the Internet and saved on your Mac by an app which adds quarantine flags, then a normal quarantine xattr will be added to it. When you decompress a flagged Zip archive, quarantine flags are automatically attached to all the files extracted from it.


The role and purpose of these quarantine flags added by sandboxed apps remains obscure, beyond being used to prevent the execution of shell scripts, web archives, etc.

Unfortunately, it can also prevent opening shell scripts, e.g. just to edit them.

Howard Oakley:

Opening a document using LaunchServices, by double-clicking or dragging and dropping it, is very different. macOS then checks both the quarantine flag and the OpenWith xattr. If the latter points to the same app as the default for that document type, then regardless of the quarantine flag, the document is opened as expected; similarly, if there’s no quarantine flag, none is enforced.

But if a document has both quarantine flag and OpenWith xattr, and the app specified in the latter isn’t the default, macOS refuses that request when it’s made through LaunchServices. This results in the dialog that you see, which doesn’t make any sense because it’s actually intended for apps which can’t pass their first run tests, not for documents at all.


macOS is clearly behaving in this way as a defence against malware, which might install an innocent-looking document but set its OpenWith xattr to ensure that it’s processed (installed or run in some way) using a third-party tool instead. However, there are several serious flaws in the way that this is currently implemented, in particular the differences in operation between app and document quarantine.


Furthermore, determining document behaviours like this through opaque metadata prevents the user from making judgements of their own on which documents to trust. It essentially deems every document untrusted for ever, which is most bizarre in comparison with the treatment of apps, which once they have passed their first run checks are so trusted that they can even have broken signatures and macOS doesn’t bat an eyelid at running them.

Howard Oakley:

I think that these log extracts demonstrate how the failure to open these documents is a behaviour determined by XProtect as a result of its scan not of the document contents (which were entirely innocent), but on discovery of the quarantine flag and the OpenWith extended attribute. The error returned, -67062, is incorrect, and results in the wrong alert being displayed to the user.

As far as I can discover, this behaviour and its use of this alert is undocumented by Apple in either its user documentation or that for developers.


Apple needs to correct this immediately: blaming its third-party developers for an undocumented feature in macOS is plain wrong.

Howard Oakley:

Open the Security & Privacy pane in its General tab. If you’re quick enough, there will be an additional item at the bottom offering the button to Open Anyway. If you don’t see it, it’s because you were too slow to react: try again, only faster!

If you click on the Open Anyway button, you’ll see another security dialog which has a similarly incoherent message.

What a bizarre user interface.

What happens is that macOS sets the quarantine flag on that document to indicate that XProtect has approved it, by changing its first numbers from something like 0082 to 00e2. This is what my free app Pratique does without your having to go through two security alerts and the Security & Privacy pane. This ensures that the next time that document – and that document alone – has its quarantine flag checked, it will not be blocked in the way that it was.


Open the Finder contextual menu on the document, then press the Option key. Now the Open command at the top will open that document via the security confirmation dialog, or you can choose any other app to open it instead. This results in the same change being made to the quarantine flag, with the added bonus that, as you were holding the Option key, the Finder window will automatically vanish too.


Update (2019-05-14): Howard Oakley:

Pratique has a similar interface to my free utility for stripping ‘spurious’ quarantine flags, Sandstrip, but instead of removing them, it marks files with a flag which indicates that they have been checked by XProtect – in the same way that flags change when an app has passed its first run checks. So long as that modified flag remains attached to a document, you can change the app set to open it, and double-clicking it won’t trigger a security alert and refusal.

This should prove a more lasting way of dealing with the problems caused by quarantine flags on documents, particularly if you don’t save them using an app which runs in a sandbox.

Howard Oakley:

In certain circumstances, trying to open a document in macOS 10.8 and later can result in a security error and refusal. This article summarises knowledge about this issue: how it arises, what it means, and how to work around it.

Update (2020-11-07): See also: Quarantine and the quarantine flag.

The Apple Watch Turns Four: Some Thoughts

Nick Heer:

From a convoluted and much-mocked start, it has grown to become an invaluable accessory for millions. One more reason it was so often misunderstood: it’s truly the kind of product that you need to use to understand it.


I adore the activity and fitness tracking, for example. […] I also like some of the smart watch face features. It feels completely natural for me to glance at my watch to check the weather or to see what appointments or reminders I have that day. Having Siri on my wrist is also a revelation. These features combine to help create the kind of passive technology future many of us have dreamed of. If only I could tilt my wrist and see when the next bus or train is due to arrive — that would nearly complete a feeling of immersion.


But then there are the things that I feel more negative about, and which have not meaningfully changed over the past four years — the worst of which is the third-party app ecosystem on the device. Even though I have a Series 1 Apple Watch, this has little to do with speed and everything to do with functionality. It feels like third-party developers either cannot figure out what they want to do with their WatchOS apps, or they’re not able to do what they want because of API limitations.


I’m also not wholly convinced that pushing notifications to my wrist is somehow beneficial for either my phone use or my attentiveness.

Jim des Rivieres, RIP

Ottowa Matters:

Jim, aka “Jeem” to many computing friends and colleagues and “Moth Man” to his Lepidoptera friends, will be fondly remembered by the many friends made over the years (Bell High School, Carleton University (as a Honours BSc graduate, computer programmer at the former Centre for Computing Services, and Assistant Professor), University of Toronto, Knights of the Lambda Calculus, Xerox PARC, Object Technology International (OTI), IBM, Photography Collectors Group, National Gallery of Canada, Camera Club of Ottawa, School of Photographic Arts Ottawa (SPAO) and the Museum of Nature) along with those gathered through his photography and mothing passion.

Gilad Bracha:

Sad news, once again. Among Jim’s many accomplishments, he co-authored the classic “Art of the Metaobject Protocol”, which many can still learn from.

MIT Press:

Kiczales, des Rivières, and Bobrow show that the “art of metaobject protocol design” lies in creating a synthetic combination of object-oriented and reflective techniques that can be applied under existing software engineering considerations to yield a new approach to programming language design that meets a broad set of design criteria.

One of the major benefits of including the metaobject protocol in programming languages is that it allows users to adjust the language to better suit their needs. Metaobject protocols also disprove the adage that adding more flexibility to a programming language reduces its performance. In presenting the principles of metaobject protocols, the authors work with actual code for a simplified implementation of CLOS and its metaobject protocol, providing an opportunity for the reader to gain hands-on experience with the design process.


In his 1997 talk at OOPSLA, Alan Kay called it “the best book anybody’s written in ten years”, and contended that it contained “some of the most profound insights, and the most practical insights about OOP”, but was dismayed that it was written in a highly Lisp-centric and CLOS-specific fashion, calling it “a hard book for most people to read; if you don’t know the Lisp culture, it’s very hard to read”.

Some chapters of the book are available online, and Amazon has the paperback. I haven’t seen the hardback version anywhere.