Mark of the Web
Full Title
Context
Files from the Internet or similar sources could contain malware. Therefore, Microsoft came up with a security mechanism years ago where these files are marked with a Mark of the Web (MOTW) flag. Windows can display a security warning before opening and starting an executable file with a MotW flag set.
Mac OS/x
Since Mac OS X Leopard, applications that download files from the web have had the ability to mark files as being 'quarantined' [1]. A file being quarantined just means that you haven't yet approved the file. In Snow Leopard, this feature was enhanced to protect users against known malware such as Mac Defender. OS X stores quarantine information in extended file attributes [2]. Specifically, these are the relevant extended attributes:
- com.apple.metadata. This isn't specific to quarantining files, but it does appear to be used for the other information included in the quarantine prompt. This attribute contains two key-value pairs: kMDItemDownloadedDate (a date/time) and kMDItemWhereFroms (which contains two URLs: the direct download URL, and the download page URL). The kMDItemWhereFroms attribute also shows its data in the Get Info window in the Finder.
- com.apple.quarantine. This attribute contains the application's name that downloaded the file, the current quarantine status, among other things (presumably).
You can view a list of all extended attributes on a file by using the xattr shell command. Grab a DMG you have laying around, open the Terminal, and execute xattr -l path/to/file.dmg. You'll see something like this containing the extended attributes used for quarantining, as well as a couple of others:
On the developer side of things, to enable file quarantine for files downloaded through your application, simply set LSFileQuarantineEnabled to true in your Info.plist.
