What is the com.apple.provenance xattr, and why can it not be removed?

I'm trying to help a user with a problem with phantom installed keyboard layouts on Ventura. It looks like the key file is ~/Library/Preferences/com.apple.inputsources.plist, which shows the extra keyboard layouts that aren't referenced anywhere else that we've been able to find. But the file has the com.apple.provenance xattr set, which cannot be removed with xattr, and the file cannot be deleted.

I can't find anything that says what com.apple.provenance is for, with the only references being people saying that they don't know what it is, or another discussion on quarantine (https://developer.apple.com/forums/thread/723134) where it appears without comment.

Is there anything that can be done to fix the situation?

Post not yet marked as solved Up vote post of Mussau Down vote post of Mussau
3.6k views
Posted by
Mussau
Reply
Add a Comment

Replies

I have the same experience when generating a plist file for a self-developed agent.

Some background to the situation: The plist was written directly to the ~/Library/LaunchAgents folder using the python plistlib and standard python file creation: open(fileName) as fp:. The result was a correctly formatted plist file but with the com.apple.provenance attribute added. launchctl gives errors trying to load or bootstrap the file.

As in the OP's case xattr -d simply does not work on this extended attribute.

For the next attempt I'll try generating the file in a different folder then copying it to the ~/Library/LaunchAgents folder. I'll post an update in a couple of days.

Posted by
bldrvnlw
Up vote reply of bldrvnlw Down vote reply of bldrvnlw
Add a Comment

I have files that are transferred using rclone from a remote server (with SFTP) to my NAS and then moved to my Mac mini that have this attribute.

It seems that macOS 13.2.1 Ventura is unable to remove this attribute. Strangely enough, I dug up my barely working 2012 MacBook Air still running Mojave 10.14.6. I was able to remove the extended attribute using the command xattr -c filename

If I use xattr -d filename even in Mojave, it doesn't remove the attribute.

Using the same (-c) command on Ventura apparently does nothing. It's really not a solution, but it's interesting that Mojave works but Ventura doesn't.

Posted by
chrishch
Up vote reply of chrishch Down vote reply of chrishch
Add a Comment

On the macOS Ventura (13.3) operating system running on Apple Silicon, I was able to remove the com.apple.provenance attribute by disabling the System Integrity Protection feature.

It is important to note that disabling the System Integrity Protection feature on macOS Ventura (13.3) can compromise the security of your system. Therefore, please exercise caution and do so at your own risk.

  1. Restart your Mac in safe mode (Start up your Mac in safe mode - Apple Support)
  2. Open Terminal from Utilities
  3. Run the following command
csrutil disable --with basesystem --with dtrace --with kext
  1. Restart your Mac
  2. Run the following command to remove com.apple.provenance from your file
xattr -d com.apple.provenance filename
Posted by
ys64
Up vote reply of ys64 Down vote reply of ys64

  • presumably, you would want to do something like 'csrutil enable' afterward? With or without those other options? Precious little info in man csrutil.

    OsamaBinLogin
Add a Comment