The .xip file format contains an archive (xar containing a gzip archive and metadata) and a signature of the archive.
To decode an .xip file, use the following commands:
pkgutil --check-signature <xip-file> xar -xf <xip-file> tar -zxvf <xar-file>