Hello, Thank you for an extensive reply. It sounds like something in your build process is creating these files with the quarantine bit set. An easy test would be to manually remove any quarantine bit immediately after creating the file and see if that fixes the problem. I believe that this is not the case: If program is not removed it is actually allowed to run, it is not quarantined anyhow. I double-checked my logs. The log clearly indicates that absence of a program causes the issue, and so there is no way to signal anything to Gatekeeper via xattrs (like un-quarantine): the file already gone, so its xattrs. I still believe that killing of a sibling is not the right behavior here in any case. I would understand if parent process was killed, but it is just another process ran by same parent get killed and I have no good explanation about this behavior.

I filed issue to DTS, but got no replies. However seems like I found a workaround. This issue is definitely in inodes: basically in case of 'File not found' macOS kills some other running process sharing the inode with the already removed file. There are no xattrs attached to this inode and so I was unable to find way to suppress checks or avoid kills. To me this behaviour still seems incorrect, but I cannot do anything with it. Eventually I was able to avoid inode sharing in my build process by using clonefile(2) instead of hardlink. This has same spatial impact as hardlinking, but some extra performance impact: seems like OS processes like osqueryd, syspolicyd, XprotectService and JamfDaemon are more active with clonefile. This may be explained by their attempt to check each copy of a file I clone, while in case of hardlink they only check file once per inode.