Ventura Adds com.apple.provenance
What happens in macOS Ventura is essentially the same until the moment that quarantine is cleared, when macOS now attaches a new extended attribute (xattr) of type
com.apple.provenance
to the file. This contains an 11-byte binary reference unique to that quarantine event, and may be protected by SIP to make it persist and prevent it from being stripped.[…]
Defeating any SIP protection is simple for the user: when an app with a protected
com.apple.provenance
xattr is copied to another volume, the SIP protection breaks, and the xattr can be deleted in the normal way. However, code that tries to remove that xattr while it’s still protected may fail, and that has resulted in problems reported in Ventura by some users.[…]
Randy has also identified the binary content of this new xattr as containing an 8-byte integer that is that app’s primary key in the
provenance_tracking
table in /var/db/SystemPolicyConfiguration/ExecPolicy. This would enable macOS to check the previous cdhash and other information about the app, perhaps to determine whether fuller checks are required by Gatekeeper, when the app is launched on subsequent occasions. That would make it a key part of Ventura’s new extended Gatekeeper checks.
A small macOS improvement idea:
When I hit command-i on a macOS app, it would be nice if the app would include the website for the developer/application in the info or comments field.
I’ve forgotten about some apps that I’ve installed (i.e. i have no idea what they are even for) and would like to easily pop open the site for them without launching and hoping the URL is in help or about (or just manually searching online).
While it’s clear that macOS Ventura is now tracking the provenance of apps that have completed their first run with the quarantine flag set, this provenance tracking doesn’t (yet) appear to be used to tailor or modify the checks run by Gatekeeper. It’s possible that provenance tracking isn’t yet mature enough to be used for that purpose, or that it’s intended for something else. Perhaps Ventura 13.3 will reveal more.
Previously:
Update (2023-05-11): Howard Oakley:
When the app is moved to a different enclosing folder, such as Applications, and is launched for the first time using the Finder, its xattrs change: the quarantine flag is cleared but left in place, a com.apple.macl xattr that’s protected by SIP is attached, and an unprotected com.apple.provenance xattr is also attached.
If the app is first launched from the same folder that it arrived in, that works differently, and no provenance xattr will be attached. Neither are provenance xattrs attached to documents.
[…]
On subsequent runs of that app,
syspolicyd
locates the previously stored provenance data, and updates it[…]