“End-of-central-directory signature not found.” when installing Xcode 8 beta xip file

The .xip file format contains an archive (xar containing a gzip archive and metadata) and a signature of the archive. The signature is important, since previously Xcode downloads have been altered (eg. XcodeGhost) to inject malicious code into apps. Therefore, approaches like skipping the verification (xattr -d com.apple.quarantine Xcode_8_beta.xip) seems irresponsible.

I strongly encourage you to try to open it with Archive Utility.app in your finder. If the signature check doesn’t work, try re-downloading.

If you want to investigate whether the .xip is validly signed or for whatever reason want to expand it without Archive Utility, you can use pkgutil:

pkgutil --check-signature Xcode_8_beta.xip

The output should be something like this:

    Package "Xcode_8_beta.xip":
       Status: signed Apple Software
       Certificate Chain:
        1. Software Update
           SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
           -----------------------------------------------------------------------------
        2. Apple Software Update Certification Authority
           SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
           -----------------------------------------------------------------------------
        3. Apple Root CA
           SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

If that signature isn’t signed by an Apple Root CA that is in your Keychain, you should probably stop right there. If all is good so far, you can then run the following commands:

xar -xf Xcode_8_beta.xip
sudo tar zxvf Content

Leave a Comment

Hata!: SQLSTATE[08004] [1040] Too many connections