macOS: com.apple.quarantine

I recently faced a weird behaviour from one of my Eclipse instances: all settings and plug-ins installed were forgotten, and the Eclipse looked like freshly installed.

It took me some time to understand that the problem was not a bug, but a feature ;-)

Problem

In the latest macOS versions, Apple implemented a security component called Gatekeeper. In macOS Sierra, things went even further, with Gatekeeper Path Randomization (or app translocation). What it basically does is to randomly move unsigned applications to random paths. For usual applications that can be executed from read-only folders, this strategy is ok, since it makes malitious software less effective.

However, Eclipse is not such an application, Eclipse installs plug-ins and keeps persistent configuration files in the install folder, which obviously cannot be read-only.

This is exactly the problem I was experimenting, from time to time that specific instance of Eclipse lost its settings and all extra installed plug-ins.

Solution

The solution was to remove the extended attribute com.apple.quarantine from the Eclipse.app folder.

$ xattr Eclipse.app
com.apple.quarantine
$ xattr -d com.apple.quarantine Eclipse.app

The reason why this attribute was added to the folder is more complicated, and probably only Apple knows the exact details, but definitely downloading unsigned applications with the browser marks them as suspicious and needing to be qarantined.

Recommandation

So, to prevent such cases, it is recommended to download the applications manually in a terminal, with curl.

If the application was downloaded via the browser, things are not completely lost (at least in the current versions of macOS); move it to the the destination folder and remove the attribute before using it.

There are several exceptions to the rule, when applications are considered safe, and no loger quarantined; these exceptions probably will change from version to version; for example, now applications moved to the system folder /Applications are no longer quarantined.

 

Advertisements

About Liviu Ionescu (ilg)
Hi! My name is Liviu Ionescu (ilg, ilegeul or eunete for colleagues and friends) and I’m a senior IT engineer. Or should I say a real programmer?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: