Apple Xcode 8 beta now secured with digital signatures in .xip format

Posted:
in macOS
Apple has implemented the .xip file compression protocol with digital signatures for its newest Xcode 8 beta distribution, instead of the unsecured .zip format, guaranteeing that the contents have not changed since initial creation.




The .xip format is a version of the RAR compression method, but with the addition of allowing for "digital signatures" like those found in files downloaded from the App Store. As discussed in the "man" page, accessible from the Terminal, "A XIP file is an analog to zip, but allows for a digital signature to be applied and verified on the receiving system, before the archive is expanded."

Apple's Archive Utility, included by default in macOS, handles the archives with no other user action needed. The file format itself has been supported since OS X 10.6.

Partially as a result of the shift, the decompression process is taking significantly more time than previous versions with some users reporting up to 30 minutes to install the new Xcode beta following download.

AppleInsider testing showed 21 minutes to decompress the file on a 2012 i7 Retina MacBook Pro, and 31 minutes on a 2012 i7 Mac mini with SATA SSD upgrade. A previous version of Xcode compressed in .zip format took eight minutes to decompress on the same Mac mini, but lacked the security features inherent in the .xip file.

Previous Xcode beta releases have been distributed in Apple's .dmg format, or a .zip file. Where both the .zip and .dmg files have rudimentary checksums to warn the user that it may have been corrupted in transit, there are no safeguards against tampering.

While there appears to be a higher than normal incidence of decompression problems with the .xip files, there are fixes. The most effective fix is a reinstallation of OS X 10.11.5 or the macOS 10.12 beta from the recovery partition. Other users are turning to disabling the signature check in the Terminal, defeating the purpose of distribution in .xip format.

Apple's move to the .xip format for Xcode was likely made in response to 2015's "XcodeGhost" incident. In September 2015, a hacker group altered code in a privately-hosted version of Xcode, which piggybacked malware onto compiled apps, without the knowledge of the coder.

All of the afflicted apps have since been purged from the App Stores. As a result of the incident, Apple started hosting Xcode on Chinese servers, to combat the tendency of developers to download from local, faster non-Apple repositories.

Comments

  • Reply 1 of 8
    SpamSandwichSpamSandwich Posts: 30,571member
    Chinese servers under the complete control of the Chinese government, no doubt.
  • Reply 2 of 8
    RosynaRosyna Posts: 82member
    Where both the .zip and .dmg files have rudimentary checksums to warn the user that it may have been corrupted in transit, there are no safeguards against tampering. 


    As of Mac OS X 10.11.5, the codesign tool supports signing disk images (https://developer.apple.com/library/prerelease/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG18).

    The purpose of the xip format and signed disk images isn't to prevent things like XcodeGhost, which was correctly stopped by Gatekeeper because the code signature was invalid. It's to exclude an app from the new App Translocation security feature (http://lapcatsoftware.com/articles/app-translocation.html) in Sierra. App Translocation was designed to fix a Gatekeeper vulnerability (http://arstechnica.com/security/2016/01/how-malware-developers-could-bypass-macs-gatekeeper-without-really-trying/) that allowed malicious actors to hijack signed (usually by Apple) applications by forcing them to load malicious external resources that are located in specific places on disk relative to the signed binary.

    That is, the ability to use signed xip archives and signed disk images is only useful on Mac OS X 10.12 or later.

    The reason why Xcode 8.0 beta is shipped as a xip and not in a signed disk image is because the Xcode beta is freakin' huge! After decompressing it, Xcode 8 comes in at over 12GB! As a disk image, you'd be required to have both the disk image and Xcode exist on disk at the same time because you'd have to download it, mount it, copy Xcode to /Applications (which requires the Disk Image framework to decompress Xcode while copying it), unmount the disk image, and then delete the original image.

    A xip permits Archive Utility to do the decompression and deletion for you. If your Downloads folder is on the same volume as /Applications/, then only an additional move, not a copy, it required.

    edited July 2016 ai46
  • Reply 3 of 8
    crowleycrowley Posts: 5,644member
    Chinese servers under the complete control of the Chinese government, no doubt.
    If the xip does it's job then it really doesn't matter, surely?
  • Reply 4 of 8
    crowley said:

    If the xip does it's job then it really doesn't matter, surely?
    Agreed, if it does it's job. Unfortunately, in my experience, it has not been properly signed by Apple.

    Only switching OS X security settings to the installation of apps from any source — before (!)  trying to expand the xip file — did the trick.

    Leaving settings to App Store and certified developers was not good enough.

    This is rather annoying since the verification process takes quite a while on a rather slow machine as a Mac mini. You would need to start all over again if you forget to adapt your security settings before.

    And don't you forget to switch your security settings back, once you have installed your Xcode beta…
  • Reply 5 of 8
    crowleycrowley Posts: 5,644member
    haptic said:
    crowley said:

    If the xip does it's job then it really doesn't matter, surely?
    Agreed, if it does it's job. Unfortunately, in my experience, it has not been properly signed by Apple.

    Only switching OS X security settings to the installation of apps from any source — before (!)  trying to expand the xip file — did the trick.
    Err... if that's your first reaction then the entire endeavour is rendered pretty pointless.  How do you distinguish between a xip that hasn't been properly signed by Apple and one that has been tampered with?

    Wait for Apple to fix it.
    edited July 2016 Rosyna
  • Reply 6 of 8
    Err... if that's your first reaction then the entire endeavour is rendered pretty pointless.  How do you distinguish between a xip that hasn't been properly signed by Apple and one that has been tampered with?

    Wait for Apple to fix it.
    Of course, I see your point. But waiting for Apple to fix it? We are on beta 3 and they did not manage offering properly signed stuff.

    Since I am not downloading from a Chinese server, but after signing in at Apple's, I currently rather prefer risking this uncertainty than keep on waiting until Apple will fix this — by beta 5.

    Sorry, but the real problem is that Apple failed delivering professional stuff in the first place. There is a reason why I switch this OS X security feature back on after installing this Xcode beta.

    Why has this Xcode beta 3 not been properly signed by Apple? Even more so since they just had switched their installing file format? Actually, I expect them to test this out on a normal average machine before rolling it out.
  • Reply 7 of 8
    crowleycrowley Posts: 5,644member
    haptic said:
    Err... if that's your first reaction then the entire endeavour is rendered pretty pointless.  How do you distinguish between a xip that hasn't been properly signed by Apple and one that has been tampered with?

    Wait for Apple to fix it.
    Of course, I see your point. But waiting for Apple to fix it? We are on beta 3 and they did not manage offering properly signed stuff.

    Since I am not downloading from a Chinese server, but after signing in at Apple's, I currently rather prefer risking this uncertainty than keep on waiting until Apple will fix this — by beta 5.

    Sorry, but the real problem is that Apple failed delivering professional stuff in the first place. There is a reason why I switch this OS X security feature back on after installing this Xcode beta.

    Why has this Xcode beta 3 not been properly signed by Apple? Even more so since they just had switched their installing file format? Actually, I expect them to test this out on a normal average machine before rolling it out.
    It's a beta. Give feedback.
  • Reply 8 of 8
    It's a beta. Give feedback.
    Yes, this is what I usually do — but more on iOS/watchOS relevant issues. Not so much on meta-related tools like Xcode ;-)
Sign In or Register to comment.