Fix Swift SDK bundles not working due to quarantine

Sources/Basics/FileSystem/FileSystem+Extensions.swift

@@ -19,6 +19,7 @@ import struct TSCBasic.ByteString
 import struct TSCBasic.FileInfo
 import class TSCBasic.FileLock
 import enum TSCBasic.FileMode
+import enum TSCBasic.FileSystemAttribute
 import protocol TSCBasic.FileSystem
 import var TSCBasic.localFileSystem
 import protocol TSCBasic.WritableByteStream
@@ -71,8 +72,8 @@ extension FileSystem {
 
     /// Returns `true` if a given path has a quarantine attribute applied if when file system supports this attribute.
     /// Returns `false` if such attribute is not applied or it isn't supported.
-    public func hasQuarantineAttribute(_ path: AbsolutePath) -> Bool {
-        self.hasQuarantineAttribute(path.underlying)
+    public func hasAttribute(_ name: FileSystemAttribute, _ path: AbsolutePath) -> Bool {
+        self.hasAttribute(name, path.underlying)
     }
 
     /// Get the contents of the given directory, in an undefined order.

Sources/PackageModel/Destination.swift

@@ -52,6 +52,11 @@ public enum DestinationError: Swift.Error {
     /// A destination with this artifact ID is already installed. Can't install a new bundle with this artifact,
     /// installed artifact IDs are expected to be unique.
     case destinationArtifactAlreadyInstalled(installedBundleName: String, newBundleName: String, artifactID: String)
+
+    #if os(macOS)
+    /// Quarantine attribute should be removed by the `xattr` command from an installed bundle.
+    case quarantineAttributePresent(bundlePath: AbsolutePath)
+    #endif
 }
 
 extension DestinationError: CustomStringConvertible {
@@ -93,6 +98,17 @@ extension DestinationError: CustomStringConvertible {
             `\(installedBundleName)`. Can't install a new bundle `\(newBundleName)` with this artifact, artifact IDs \
             are expected to be unique across all installed Swift SDK bundles.
             """
+        #if os(macOS)
+        case .quarantineAttributePresent(let bundlePath):
+            return """
+            Quarantine attribute is present on a Swift SDK bundle at path `\(bundlePath)`. If you're certain that the \
+            bundle was downloaded from a trusted source, you can remove the attribute with this command:
+
+            xattr -d -r -s com.apple.quarantine "\(bundlePath)"
+
+            and try to install this bundle again.
+            """
+        #endif
         }
     }
 }

Sources/PackageModel/SwiftSDKBundle.swift

@@ -12,6 +12,7 @@
 
 import Basics
 
+import protocol TSCBasic.FileSystem
 import struct Foundation.URL
 import struct TSCBasic.RegEx
 
@@ -245,6 +246,13 @@ public struct SwiftSDKBundle {
         _ archiver: some Archiver,
         _ observabilityScope: ObservabilityScope
     ) throws {
+        #if os(macOS)
+        // Check the quarantine attribute on bundles downloaded manually in the browser.
+        guard fileSystem.hasAttribute(.quarantine, bundlePath.underlying) else {
+            throw DestinationError.quarantineAttributePresent(bundlePath: bundlePath)
+        }
+        #endif
+
         let unpackedBundlePath = try unpackIfNeeded(
             bundlePath: bundlePath,
             destinationsDirectory: destinationsDirectory,