Prevent Quarantine message on helper app

  • When users open my prefpane for the first time they get the OS quarantine
    message. Then my prefpane has to open a helper app and it pauses for about
    30 seconds and then throws up another quarantine message... This time for
    the helper.

    How can I have the main app prevent the quarantine message on the helper?

    Thanks,

    Trygve
  • On Jul 2, 2012, at 5:10 PM, Trygve Inda wrote:

    > When users open my prefpane for the first time they get the OS quarantine
    > message. Then my prefpane has to open a helper app and it pauses for about
    > 30 seconds and then throws up another quarantine message... This time for
    > the helper.
    >
    > How can I have the main app prevent the quarantine message on the helper?

    Well, if the prefpane had been in a user-writable location, the OS should have removed quarantine on it (and everything within its bundle) automatically when the user approved opening the item the first time.

    I would suggest iterating over your helper app's bundle and calling LSSetItemAttribute(&<FSRef to item>, kLSRolesAll, kLSItemQuarantineProperties, NULL) on every item in it, but that won't help if the items aren't writable.

    You can use a privileged helper tool to do this if the prefpane has been copied to a location that's only writable by admins.  In that case, you might prefer to use removexattr() to remove the "com.apple.quarantine" attribute.  It's a bit of a hard call.  On the one hand, you should generally avoid high-level frameworks in privileged tools to minimize the attack surface.  On the other hand, I don't think that Apple has documented that quarantine information is stored in that extended attribute, so there's no guarantee that removing it actually accomplishes the lifting of quarantine.

    Regards,
    Ken
  • > On Jul 2, 2012, at 5:10 PM, Trygve Inda wrote:
    >
    >> When users open my prefpane for the first time they get the OS quarantine
    >> message. Then my prefpane has to open a helper app and it pauses for about
    >> 30 seconds and then throws up another quarantine message... This time for
    >> the helper.
    >>
    >> How can I have the main app prevent the quarantine message on the helper?
    >
    > Well, if the prefpane had been in a user-writable location, the OS should have
    > removed quarantine on it (and everything within its bundle) automatically when
    > the user approved opening the item the first time.
    >
    > I would suggest iterating over your helper app's bundle and calling
    > LSSetItemAttribute(&<FSRef to item>, kLSRolesAll, kLSItemQuarantineProperties,
    > NULL) on every item in it, but that won't help if the items aren't writable.
    >
    > You can use a privileged helper tool to do this if the prefpane has been
    > copied to a location that's only writable by admins.  In that case, you might
    > prefer to use removexattr() to remove the "com.apple.quarantine" attribute.
    > It's a bit of a hard call.  On the one hand, you should generally avoid
    > high-level frameworks in privileged tools to minimize the attack surface.  On
    > the other hand, I don't think that Apple has documented that quarantine
    > information is stored in that extended attribute, so there's no guarantee that
    > removing it actually accomplishes the lifting of quarantine.
    >
    > Regards,
    > Ken
    >
    >

    The prefpane is in a user-writable location so I'll try the
    kLSItemQuarantineProperties suggestion.

    I had expected it to be cleared automatically but at least on 10.7.4 it is
    not.

    Trygve
  • > On Jul 2, 2012, at 5:10 PM, Trygve Inda wrote:
    >
    >> When users open my prefpane for the first time they get the OS quarantine
    >> message. Then my prefpane has to open a helper app and it pauses for about
    >> 30 seconds and then throws up another quarantine message... This time for
    >> the helper.
    >>
    >> How can I have the main app prevent the quarantine message on the helper?
    >
    > Well, if the prefpane had been in a user-writable location, the OS should have
    > removed quarantine on it (and everything within its bundle) automatically when
    > the user approved opening the item the first time.
    >
    > I would suggest iterating over your helper app's bundle and calling
    > LSSetItemAttribute(&<FSRef to item>, kLSRolesAll, kLSItemQuarantineProperties,
    > NULL) on every item in it, but that won't help if the items aren't writable.

    This always returns -1427 errFSAttributeNotFound even if the items are
    writable.

    Trygve
  • On Jul 4, 2012, at 11:18 AM, Trygve Inda wrote:

    >> On Jul 2, 2012, at 5:10 PM, Trygve Inda wrote:
    >>
    >>> When users open my prefpane for the first time they get the OS quarantine
    >>> message. Then my prefpane has to open a helper app and it pauses for about
    >>> 30 seconds and then throws up another quarantine message... This time for
    >>> the helper.
    >>>
    >>> How can I have the main app prevent the quarantine message on the helper?
    >>
    >> Well, if the prefpane had been in a user-writable location, the OS should have
    >> removed quarantine on it (and everything within its bundle) automatically when
    >> the user approved opening the item the first time.
    >>
    >> I would suggest iterating over your helper app's bundle and calling
    >> LSSetItemAttribute(&<FSRef to item>, kLSRolesAll, kLSItemQuarantineProperties,
    >> NULL) on every item in it, but that won't help if the items aren't writable.
    >
    > This always returns -1427 errFSAttributeNotFound even if the items are
    > writable.

    Have you checked if the attribute is actually there?  You can check with LSCopyItemAttribute.  Also, you should double-check with "ls -l@ /path/to/file", which may show the com.apple.quarantine extended attribute.

    It may be that the OS really has cleared the quarantine already and something else is going wrong.

    Don't forget to check all of the files in your helper.  Maybe the quarantine was successfully lifted from some files but not all.  Frankly, you should ignore that error, anyway.  You are just trying to make sure the file is not quarantined.  If it already was not, then you should consider it success.  However, if you're still having the original symptom, then of course that doesn't help you.

    By the way, what version of the OS are you seeing this issue on?

    Regards,
    Ken
previous month july 2012 next month
MTWTFSS
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
Go to today