How to set (restore) the com.apple.quarantine attribute?

You can copy an existing com.apple.quarantine attribute of an arbitrary file to a proxy file and then apply it to arbitrary other files. If you open certain file types (e.g. .txt files) the quarantine attribute will be ignored though.

Example:

xattr -p com.apple.quarantine /Users/user/dnscrypt-osxclient-1.0.12.dmg > quarantine.attr
xattr -w com.apple.quarantine "`cat quarantine.attr`" test.command 

This will apply the data gathered from the .dmg to the .command file - including download date and download app of the original dmg file. The original download date/app of the .command won't be restored though.

Source: Using xattr to set the Mac OSX quarantine property


Format of the quarantine attribute:

flag;date;app_name;UUID;
  1. at least 0001-0003 rises the "Do you really want to open this file..." dialog, but 0062 doesn't.
  2. date (in Unix hexadecimal timestamp at least 00000000-1c000000 are unknown dates, an early date which works is 1d000000: 02 Jun 1985 05:47:44 GMT)
  3. app (any app name allowed)
  4. A UUID related with a file download which can be found in /Users/user/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 (obviously facultative)

So using 0001;55555555;Klanomathiner; in the proxy file mentioned above and applying it to a file (in the example test.command) will rise:

enter image description here

or 0001;66666666;A Cyborg from the future;

enter image description here

After opening the file the first "flag" will be set to 0041 and reopening it won't rise anything.


With some bash/SQL-magic you may even recover the original UUID and the download date/app by querying for the file name in the sqlite database - which the file com.apple.LaunchServices.QuarantineEventsV2 represents - and restore the original quarantine attribute. But I'm too lazy to draw this up now. Someone else has done similar/related work already:

Read com.apple.quarantine

/usr/bin/xattr -p com.apple.quarantine "${file}"

Set com.apple.quarantine

application="cURL"
date=$(printf %x $(date +%s))
uuid=$(/usr/bin/uuidgen)
/usr/bin/xattr -w com.apple.quarantine "0002;${date};${application};${uuid}" "${file}"

Insert UUID into Database

download_url="http://example.com/file.zip"
date=$(($(date +%s) - 978307200))
/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "INSERT INTO \"LSQuarantineEvent\" VALUES('${uuid}',${date},NULL,'${application}','${download_url}',NULL,NULL,0,NULL,'${url}',NULL);"

Check if UUID exists in Database

/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT * FROM LSQuarantineEvent WHERE LSQuarantineEventIdentifier == '${uuid}'"

I like klanomath's answer a lot as it helped me understand what goes down under the hood.

However, I found a simpler way of resetting the quarantine: Just drag the application onto a new browser window and "re-download" it. It will have the quarantine flag added back to it.

If your application was notarized, the UI warnings won't come up. This is the same behaviour as klanomath's copy-quarantine-attribute technique.