com.apple.provenance issues

[maurice]

I'm running into an issue with FileBot on MacOS which seems to be caused by the --no-quarantine flag on install.

See: https://eclecticlight.co/2023/05/10/how ... e-of-apps/

As a result, MacOS will add the com.apple.provenance attribute on files and folders, after which I can not longer move them on my SMB mount. Even a "sudo mv" fails from the command line. E.g.:

Format: Select all

$ sudo mv FILE
mv: rename FILE to NEW: Operation not permitted

I've been able to remove the attribute from files, but not folders with: "xattr -d com.apple.provenance [FILE]".

The workaround for folders for me has been copying the folder on the server side, then removing the original via my mac and rename the copy remotely but this takes a fair bit of time.

[maurice]

Some updates after some further digging. I think I was getting two issues mixed up here.

I believe the mv issue was caused by locked files, I was able to resolve that with advice from StackOverflow:

Code: Select all

find . -flags uchg -exec chflags nouchg {} \;

The reason I got this mixed up with the com.apple.provenance attribute, is because neither issue was visible directly from the NAS. I didn't see the attributes (I do think they're present) and I could move the files.

But the mv issues are resolved once the files were unlocked.

So the main issue now is that the com.apple.provenance tag is all over my collection now.

I can remove it from files, but I get an error for folders. Saying they are not folders...

Code: Select all

 maurice.robert@maurice-macbook  /Volumes/shared/Movies  ls -la@ Monty\ Python\ and\ the\ Holy\ Grail\ \(1975\)\ \[tmdbid-762\]/.
total 1433448
drwx------@ 1 maurice.robert  staff      16384 Oct 28 11:14 .
        com.apple.provenance           11
drwx------  1 maurice.robert  staff      16384 Nov  3 13:29 ..
-rwx------@ 1 maurice.robert  staff  733765632 May 26  2010 Monty Python and the Holy Grail (1975).avi
        net.filebot.metadata          142
        net.filebot.filename           42
-rwx------@ 1 maurice.robert  staff      74205 May 25  2010 Monty Python and the Holy Grail (1975).heb.srt
        net.filebot.metadata          142
        net.filebot.filename           39
-rwx------@ 1 maurice.robert  staff      45748 May 25  2010 Monty Python and the Holy Grail (1975).heb.sub
        net.filebot.metadata          142
        net.filebot.filename           54
 maurice.robert@maurice-macbook  /Volumes/shared/Movies  xattr -dr com.apple.provenance Monty\ Python\ and\ the\ Holy\ Grail\ \(1975\)\ \[tmdbid-762\]
xattr: [Errno 20] Not a directory: 'Monty Python and the Holy Grail (1975) [tmdbid-762]'

EDIT: Seems to be the same issue as https://apple.stackexchange.com/questio ... -smb-share

[rednoah]

Strange indeed. Maybe try with sudo? Maybe try on folder specifically not with -r? Maybe try -c? Maybe run a few tests to set / remove custom xattr on folders to see if that works?

[maurice]

No I've tried all of those. I've even tried it with Integrity protection disabled, but it keeps saying directories aren't directories; this seems to have something to do with SMB. See the edit in my last post.

EDIT: Found another topic on this issue: https://www.macuser.de/threads/15-2-pro ... as.951221/

I don't think this is something I can resolve from my Mac at this point if it's due to an issue with SMB, so I'll have to find a way to remove the attributes through another machine. This didn't seem immediately possible from the DSM command line, so I'll have to do further research.

Either way, it'd be nice for FileBot to be signed so it doesn't have to be installed with no-quarantine, stuff it touches doesn't get tagged.

[rednoah]

DSM will store all the additional information into the @eaDir folder:

Console Output: Select all

$ find .
./@eaDir/Alias - S01E01 - Truth Be Told.mkv@SynoEAStream
./@eaDir/Alias - S01E01 - Truth Be Told.mkv@SynoResource
./@eaDir/Alias - S01E01 - Truth Be Told.mkv/SYNOINDEX_MEDIA_INFO
./Alias - S01E01 - Truth Be Told.mkv

I reckon that if you delete the @eaDir/<filename>@SynoEAStream file in the local file system, then all the NTFS alternate streams / extended attributes will disappear from the file from the SMB point-of-view.

Either way, it'd be nice for FileBot to be signed so it doesn't have to be installed with no-quarantine, stuff it touches doesn't get tagged.

--no-quarantine to the best of my understanding will simply allow to you run unsigned applications, much like how a developer would run unsigned applications during testing, or how you would run your own shell script on your own machine. This is normal, and AFAIK does not generally result in the com.apple.provenance issues. I reckon there's more to the story, especially since nobody else is reporting similar issues here. In any case, you can always use the *.pkg installer instead if you need a package that is signed.