Ins and outs of quarantine
QHow does macOS Sierra know when an app has been downloaded from the internet, and so run a full security check on it? by Dan Hopkins
AWhen your browser, or most apps capable of downloading apps and installers, save that download, it automatically attaches quarantine information to the file. This is in the form of an extended attribute, or xattr, with the name com.apple. quarantine, and puts it into quarantine. This is also recorded in the database at ~/Library/ Preferences/ com. apple. Launch Services. Quarantine Events V 2
When you try to open or run that app, or any app installed from a quarantined disk image, archive or installer bundle, the Finder notifies Gatekeeper, which performs a full check on its signature (s). This ensures that, if a signature has been revoked, for example, macOS will refuse to run it and compromise security. If the app passes that check, or you opt to run it without a valid signature, a flag in the xattr is changed to indicate that the full check has been performed successfully, and Gatekeeper won’t be asked to check it as thoroughly again.
Don’t try to circumvent these checks, by using tools like curl which bypass them, or by tampering with the quarantine xattr: they’re there for your security, to protect you from running malware.
When the quarantine xattr is set, opening an app will trigger a full Gatekeeper check of its signature(s), for your security.