There are questions with good answers that explain how to remove the com.apple.quarantine extended attribute but I was wondering how does one restore / set it back again?
I tried this:
xattr -w com.apple.quarantine $VALUE /Applications/AnApp.app
but apparently not knowing what attribute's value should be this achieves nothing.
I guess it is all about the attribute's value, which is of the following format:
com.apple.quarantine: 0061;53822fd4;Google\x20Chrome;C1022EC2-E1B2-4896-AF74-B68F4BF97779
What I want to do is make Gatekeeper ask me again whether I want to run this app or file, or not. Restore the same behavior as if the file was just downloaded from the Internet and it is run for the first time.
Best Answer
You can copy an existing com.apple.quarantine attribute of an arbitrary file to a proxy file and then apply it to arbitrary other files. If you open certain file types (e.g. .txt files) the quarantine attribute will be ignored though.
Example:
This will apply the data gathered from the .dmg to the .command file - including download date and download app of the original dmg file. The original download date/app of the .command won't be restored though.
Source: Using xattr to set the Mac OSX quarantine property
Format of the quarantine attribute:
So using
0001;55555555;Klanomathiner;
in the proxy file mentioned above and applying it to a file (in the example test.command) will rise:or
0001;66666666;A Cyborg from the future;
After opening the file the first "flag" will be set to 0041 and reopening it won't rise anything.
With some bash/SQL-magic you may even recover the original UUID and the download date/app by querying for the file name in the sqlite database - which the file com.apple.LaunchServices.QuarantineEventsV2 represents - and restore the original quarantine attribute.
But I'm too lazy to draw this up now.Someone else has done similar/related work already:Read com.apple.quarantine
Set com.apple.quarantine
Insert UUID into Database
Check if UUID exists in Database