"End-of-central-directory signature not found." when installing Xcode 8 beta xip file
Solution 1:
The .xip file format contains an archive (xar containing a gzip archive and metadata) and a signature of the archive. The signature is important, since previously Xcode downloads have been altered (eg. XcodeGhost) to inject malicious code into apps. Therefore, approaches like skipping the verification (xattr -d com.apple.quarantine Xcode_8_beta.xip) seems irresponsible.
I strongly encourage you to try to open it with Archive Utility.app in your finder. If the signature check doesn't work, try re-downloading.
If you want to investigate whether the .xip is validly signed or for whatever reason want to expand it without Archive Utility, you can use pkgutil:
pkgutil --check-signature Xcode_8_beta.xip
The output should be something like this:
Package "Xcode_8_beta.xip":
Status: signed Apple Software
Certificate Chain:
1. Software Update
SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
-----------------------------------------------------------------------------
2. Apple Software Update Certification Authority
SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
If that signature isn't signed by an Apple Root CA that is in your Keychain, you should probably stop right there. If all is good so far, you can then run the following commands:
xar -xf Xcode_8_beta.xip
sudo tar zxvf Content
Solution 2:
I'm not sure why Archive Utility is having so much trouble with these archives, but as long as your download itself isn't corrupt, extracting the app bundle out manually works consistently for me. I'm on the 10.12 GM seed (16A320), by the way.
The Xcode.app bundle is inside of a CPIO archive, which is xz'd and then packed into a v2 (i.e., Yosemite) PBZX stream (like the payloads in the Yosemite/Sierra install packages). That resulting stream is what's bundled with some metadata and then signed for distribution. Getting it out of all that mess isn't hard, but it takes a little bit of effort.
(If you'd like to see what this looks like, here's a recording of me doing it just now, complete with file sizes and certificate SHA1 hashes.)
-
Verify the signature and certificate chain that signed the archive.
pkgutil --verbose --check-signature ./Xcode_8_GM_seed.xip -
Extract the PBZX stream from the archive.
xar -xf ./Xcode_8_GM_seed.xip -
Obtain a PBZX v2 unpacker and... unpack the packed stuff.
curl -O https://gist.githubusercontent.com/pudquick/ff412bcb29c9c1fa4b8d/raw/24b25538ea8df8d0634a2a6189aa581ccc6a5b4b/parse_pbzx2.py python parse_pbzx2.py Content -
Decompress the archive (there should only be one chunk, "part00").
xz -d Content.part00.cpio.xz -
Unpack the CPIO archive as a privileged user (since the device frameworks have weird symlinks that make
cpiocomplain otherwise, and it needs to be owned by root anyway) and move the resulting Xcode app bundle into/Applications.sudo cpio -idm < ./Content.part00.cpio sudo mv ./Xcode.app /Applications/
It should prompt you to do the post-install setup steps upon first launch.
Solution 3:
The XIP file (extract in place) is just a special archive that verifies the unarchive with Apple. On a 2014 MacBook Pro i7 the Xcode 8 binary took over 30 minutes to extract. If the file is not making much progress after close to an hour, re-download the archive and try extracting again.
Additionally, Xcode 8.0 beta requires a Mac running macOS 10.11.4 or later. Make sure your system version is supported.
Xcode 8 Beta 2 note: macOS 10.11.5 or later is required to install Beta 2.