What is the com.apple.provenance xattr, and why can it not be removed?

I'm trying to help a user with a problem with phantom installed keyboard layouts on Ventura. It looks like the key file is ~/Library/Preferences/com.apple.inputsources.plist, which shows the extra keyboard layouts that aren't referenced anywhere else that we've been able to find. But the file has the com.apple.provenance xattr set, which cannot be removed with xattr, and the file cannot be deleted.

I can't find anything that says what com.apple.provenance is for, with the only references being people saying that they don't know what it is, or another discussion on quarantine (https://developer.apple.com/forums/thread/723134) where it appears without comment.

Is there anything that can be done to fix the situation?

I have the same experience when generating a plist file for a self-developed agent.

Some background to the situation: The plist was written directly to the ~/Library/LaunchAgents folder using the python plistlib and standard python file creation: open(fileName) as fp:. The result was a correctly formatted plist file but with the com.apple.provenance attribute added. launchctl gives errors trying to load or bootstrap the file.

As in the OP's case xattr -d simply does not work on this extended attribute.

For the next attempt I'll try generating the file in a different folder then copying it to the ~/Library/LaunchAgents folder. I'll post an update in a couple of days.

I have files that are transferred using rclone from a remote server (with SFTP) to my NAS and then moved to my Mac mini that have this attribute.

It seems that macOS 13.2.1 Ventura is unable to remove this attribute. Strangely enough, I dug up my barely working 2012 MacBook Air still running Mojave 10.14.6. I was able to remove the extended attribute using the command xattr -c filename

If I use xattr -d filename even in Mojave, it doesn't remove the attribute.

Using the same (-c) command on Ventura apparently does nothing. It's really not a solution, but it's interesting that Mojave works but Ventura doesn't.

On the macOS Ventura (13.3) operating system running on Apple Silicon, I was able to remove the com.apple.provenance attribute by disabling the System Integrity Protection feature.

It is important to note that disabling the System Integrity Protection feature on macOS Ventura (13.3) can compromise the security of your system. Therefore, please exercise caution and do so at your own risk.

  1. Restart your Mac in safe mode (Start up your Mac in safe mode - Apple Support)
  2. Open Terminal from Utilities
  3. Run the following command
csrutil disable --with basesystem --with dtrace --with kext
  1. Restart your Mac
  2. Run the following command to remove com.apple.provenance from your file
xattr -d com.apple.provenance filename
What is the com.apple.provenance xattr, and why can it not be removed?
 
 
Q