File provider Extension and quarantine flag

Dear all, we are developing a File Provider Extension that synchronises files and folders across devices using our custom upload/download server. We have noticed that every file written in the temp folder of the extension have the quarantine flag set, thus avoiding any app or executable to be launched from the folder itself.

Specifically in each file we see those Quarantine Keys:

["LSQuarantineIsOwnedByCurrentUser": 1, "LSQuarantineTimeStamp": 2022-03-03 16:30:54 +0000, "LSQuarantineAgentName": XXXXX, "LSQuarantineType": LSQuarantineTypeSandboxed]

We also tried the following:

  1. LSFileQuarantineEnabled = NO in the info.plist
  2. com.apple.security.files.user-selected.executable = true in the entitlements

(in the main app and extension target)

  1. We tried in the application to use the following swift code:
var resourcevalues = URLResourceValues()
resourcevalues.quarantineProperties = nil
try self.setResourceValues(resourcevalues)

We didn't get any error using the code above, but the quarantine flag is still present.

All without success.

Only using this command everything works

sudo xattr -dr com.apple.quarantine path/to/AppOrExecutable

which, of course, is not feasible.

Any help on this?

We have noticed that every file written in the temp folder of the extension have the quarantine flag set

If your provider is sandboxed then this is unavoidable. A sandboxed process can’t create non-quarantined executables.

Except…

com.apple.security.files.user-selected.executable = true in the entitlements

Setting this entitlement won’t help by itself. This entitlement does not let your sandboxed process create non-quarantined executables willy-nilly.

Note the user-selected in the entitlement name. This clearly indicates that this entitlement is like the other user-selected entitlements, com.apple.security.files.user-selected.read-only and com.apple.security.files.user-selected.read-write, in that it controls the standard file panels. That is, if you have the com.apple.security.files.user-selected.executable then you can present a standard file panel that let’s the user choose a save location and, when you save an executable there, it won’t be quarantined.

It’s hard to imagine this being useful in a file provider.

Hmmm, I guess you could avoid saving the executable but instead save a placeholder document in that location. If the user double clicks that, it’d open in in your container app, which would then present a save panel that allows the user to save the executable in a location of their choosing.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Eskimo, thanks for your reply. Before choosing the final way to make it works, i would ask... is there any way to avoid the file provider to be sandboxed or is this mandatory?

Thanks Stefano

File provider Extension and quarantine flag
 
 
Q