"End-of-central-directory signature not found." when installing Xcode 8 beta xip file

Question

I've download the Xcode 8 beta .xip file. I cannot unzip. Opening the file just sits there for hours saying "Verifying..."

If I try from command line I get the following...

Downloads unzip Xcode_8_beta.xip  Archive:  Xcode_8_beta.xip   End-of-central-directory signature not found.  Either this file    is not a zipfile, or it constitutes one disk of a multi-part archive.            In the latter case the central directory and zipfile comment will be   found on the last disk(s) of this archive. unzip:  cannot find    zipfile directory in one of Xcode_8_beta.xip or Xcode_8_beta.xip.zip,    and cannot find Xcode_8_beta.xip.ZIP, period. 

Answer 1

The .xip file format contains an archive (xar containing a gzip archive and metadata) and a signature of the archive. The signature is important, since previously Xcode downloads have been altered (eg. XcodeGhost) to inject malicious code into apps. Therefore, approaches like skipping the verification (xattr -d com.apple.quarantine Xcode_8_beta.xip) seems irresponsible.

I strongly encourage you to try to open it with Archive Utility.app in your finder. If the signature check doesn't work, try re-downloading.

If you want to investigate whether the .xip is validly signed or for whatever reason want to expand it without Archive Utility, you can use pkgutil:

pkgutil --check-signature Xcode_8_beta.xip 

The output should be something like this:

    Package "Xcode_8_beta.xip":        Status: signed Apple Software        Certificate Chain:         1. Software Update            SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD            -----------------------------------------------------------------------------         2. Apple Software Update Certification Authority            SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF            -----------------------------------------------------------------------------         3. Apple Root CA            SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 

If that signature isn't signed by an Apple Root CA that is in your Keychain, you should probably stop right there. If all is good so far, you can then run the following commands:

xar -xf Xcode_8_beta.xip sudo tar zxvf Content 

Answer 2

I'm not sure why Archive Utility is having so much trouble with these archives, but as long as your download itself isn't corrupt, extracting the app bundle out manually works consistently for me. I'm on the 10.12 GM seed (16A320), by the way.

The Xcode.app bundle is inside of a CPIO archive, which is xz'd and then packed into a v2 (i.e., Yosemite) PBZX stream (like the payloads in the Yosemite/Sierra install packages). That resulting stream is what's bundled with some metadata and then signed for distribution. Getting it out of all that mess isn't hard, but it takes a little bit of effort.

(If you'd like to see what this looks like, here's a recording of me doing it just now, complete with file sizes and certificate SHA1 hashes.)

1. Verify the signature and certificate chain that signed the archive.

   pkgutil --verbose --check-signature ./Xcode_8_GM_seed.xip 

2. Extract the PBZX stream from the archive.

   xar -xf ./Xcode_8_GM_seed.xip 

3. Obtain a PBZX v2 unpacker and... unpack the packed stuff.

   curl -O https://gist.githubusercontent.com/pudquick/ff412bcb29c9c1fa4b8d/raw/24b25538ea8df8d0634a2a6189aa581ccc6a5b4b/parse_pbzx2.py python parse_pbzx2.py Content 

4. Decompress the archive (there should only be one chunk, "part00").

   xz -d Content.part00.cpio.xz 

5. Unpack the CPIO archive as a privileged user (since the device frameworks have weird symlinks that make cpio complain otherwise, and it needs to be owned by root anyway) and move the resulting Xcode app bundle into /Applications.

   sudo cpio -idm < ./Content.part00.cpio sudo mv ./Xcode.app /Applications/ 

It should prompt you to do the post-install setup steps upon first launch.