Tuesday, October 30th, 2007
So I was curious how Apple’s was implementing the new “You’re opening an Application downloded from the internet!” dialog, particularly because of the extra information that items downloaded with Safari are given.
First off, it seems like that information is stored in the
com.apple.metadata:kMDItemWhereFroms extended attribute, which is a binary plist. Use
mdls filename to view just the Spotlight information about a file. First item seems to be the URL, and the second is optional and contains the referrer.
That’s all well and good, but what’s actually causing that dialog to display, and then go away again later?
So using the shiny new
xattr utility, I took a look around. I found the
com.apple.quarantine key. For a typical Safari download, it looked something like this:
For a Firefox (Minefield actually) download it looks more like this:
The GUID is probably related to the kMDItemWhereFroms, and is what the dialog is actually pulling the “Show Web Page” and “downloaded from” information. By the way, it turns out that attribute gets set for all writes, including caches, Firefox profiles, etc. Probably a good thing.
fs_usage data supports the theory that that mdworker is seeing the kMDItemWhereFroms attribute and setting com.apple.quarantine appropriately, but I can’t really be sure yet (I haven’t tried DTrace).
I was still a little confused (and concerned) as to how Apple was setting this bit on writes from Firefox, which has no special code, or regular writes from Safari, so I tried an experiment: I copied Minefield, edited it’s CFBundleIdentifier to be something non-sensical (in this case
org.hello.world) and tried downloading a file. The attribute wasn’t set.
So Apple’s doing bundle ID sniffing. Awesome. For the sake of completeness, I tried something else. I tried the same trick on Safari (this time used
org.cooldude.CoolBrowse). I was further surprised to find that again all writes from CoolBrowse have the attribute set.
Really, I’m not sure what is going on here.
It looks like the xattr is actually set somewhere in the kernel (perhaps in seatbelt.kext?) I’m still curious as to how Safari’s getting special treatment here, and if other apps need (or want) to opt in.
Edit: Well I’ll be damned. Check out LSQuarantine.h. It speaks volumes about either me or Apple (or both!) that I didn’t even think to check for anything public.