Apple Xcode 8 beta now secured with digital signatures in .xip format
Apple has implemented the .xip file compression protocol with digital signatures for its newest Xcode 8 beta distribution, instead of the unsecured .zip format, guaranteeing that the contents have not changed since initial creation.
The .xip format is a version of the RAR compression method, but with the addition of allowing for "digital signatures" like those found in files downloaded from the App Store. As discussed in the "man" page, accessible from the Terminal, "A XIP file is an analog to zip, but allows for a digital signature to be applied and verified on the receiving system, before the archive is expanded."
Apple's Archive Utility, included by default in macOS, handles the archives with no other user action needed. The file format itself has been supported since OS X 10.6.
Partially as a result of the shift, the decompression process is taking significantly more time than previous versions with some users reporting up to 30 minutes to install the new Xcode beta following download.
AppleInsider testing showed 21 minutes to decompress the file on a 2012 i7 Retina MacBook Pro, and 31 minutes on a 2012 i7 Mac mini with SATA SSD upgrade. A previous version of Xcode compressed in .zip format took eight minutes to decompress on the same Mac mini, but lacked the security features inherent in the .xip file.
Previous Xcode beta releases have been distributed in Apple's .dmg format, or a .zip file. Where both the .zip and .dmg files have rudimentary checksums to warn the user that it may have been corrupted in transit, there are no safeguards against tampering.
While there appears to be a higher than normal incidence of decompression problems with the .xip files, there are fixes. The most effective fix is a reinstallation of OS X 10.11.5 or the macOS 10.12 beta from the recovery partition. Other users are turning to disabling the signature check in the Terminal, defeating the purpose of distribution in .xip format.
Apple's move to the .xip format for Xcode was likely made in response to 2015's "XcodeGhost" incident. In September 2015, a hacker group altered code in a privately-hosted version of Xcode, which piggybacked malware onto compiled apps, without the knowledge of the coder.
All of the afflicted apps have since been purged from the App Stores. As a result of the incident, Apple started hosting Xcode on Chinese servers, to combat the tendency of developers to download from local, faster non-Apple repositories.
Comments
As of Mac OS X 10.11.5, the codesign tool supports signing disk images (https://developer.apple.com/library/prerelease/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG18).
The purpose of the xip format and signed disk images isn't to prevent things like XcodeGhost, which was correctly stopped by Gatekeeper because the code signature was invalid. It's to exclude an app from the new App Translocation security feature (http://lapcatsoftware.com/articles/app-translocation.html) in Sierra. App Translocation was designed to fix a Gatekeeper vulnerability (http://arstechnica.com/security/2016/01/how-malware-developers-could-bypass-macs-gatekeeper-without-really-trying/) that allowed malicious actors to hijack signed (usually by Apple) applications by forcing them to load malicious external resources that are located in specific places on disk relative to the signed binary.
That is, the ability to use signed xip archives and signed disk images is only useful on Mac OS X 10.12 or later.
The reason why Xcode 8.0 beta is shipped as a xip and not in a signed disk image is because the Xcode beta is freakin' huge! After decompressing it, Xcode 8 comes in at over 12GB! As a disk image, you'd be required to have both the disk image and Xcode exist on disk at the same time because you'd have to download it, mount it, copy Xcode to /Applications (which requires the Disk Image framework to decompress Xcode while copying it), unmount the disk image, and then delete the original image.
A xip permits Archive Utility to do the decompression and deletion for you. If your Downloads folder is on the same volume as /Applications/, then only an additional move, not a copy, it required.
Only switching OS X security settings to the installation of apps from any source — before (!) trying to expand the xip file — did the trick.
Leaving settings to App Store and certified developers was not good enough.
This is rather annoying since the verification process takes quite a while on a rather slow machine as a Mac mini. You would need to start all over again if you forget to adapt your security settings before.
And don't you forget to switch your security settings back, once you have installed your Xcode beta…
Wait for Apple to fix it.
Since I am not downloading from a Chinese server, but after signing in at Apple's, I currently rather prefer risking this uncertainty than keep on waiting until Apple will fix this — by beta 5.
Sorry, but the real problem is that Apple failed delivering professional stuff in the first place. There is a reason why I switch this OS X security feature back on after installing this Xcode beta.
Why has this Xcode beta 3 not been properly signed by Apple? Even more so since they just had switched their installing file format? Actually, I expect them to test this out on a normal average machine before rolling it out.