Apple Software Update client

Apple Software Update client queries the following URLs for update catalogs by default:

10.5 client: http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog
10.4 client: http://swscan.apple.com/content/catalogs/index-1.sucatalog
Windows client: http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog
10.3 client: http://swscan.apple.com/scanningpoints/scanningpointX.xml

The .sucatalog format is the same for 10.4, 10.5 and the Windows Apple Software Update client.

Note swscan.apple.com/content/catalogs seems to have the same content as swcatalog.apple.com/content/catalogs. swcatalog is akamai hosted, swcan is not (and is MUCH slower).

For each available update the .sucatalog file lists a URL to a .dist (Installer distribution script) and a URL to an install package (or a few packages) to be installed if the .dist script says it is needed.

The URLs all point to various files within http://swcdn.apple.com/content/downloads/ at present. swcdn is akamai hosted.

Each .dist script can call javascript commands in a special Installer framework sandbox to work out if they should be installed or not.

The .dist files used to work out if an update applies are neither signed nor checksummed.

The actual install package/exe is signed:

10.4: In the case of updates destined for 10.4 this is a double tar'd pkg directory -- inside the first tar are two files: signature and updatename.pkg. The signature can be verified with the Apple 10.4 update public key at: /System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/Resources/PublicKey.plist.
10.5: The updates which are 10.5 specific are a xar archive. The xar standard specifies an XML table of contents which contains checksums of each file in the archive, and a checksum of the table of contents itself. Apple has a non-standard(?, but sensible) signature blob in the xar archive, presumably this is an RSA-signature of the checksum of the table of contents.
10.3/(10.2?): originally had no signature at all on the install packages. Now uses a https service to retrieve a valid checksum for the downloaded update file.

Pointing the Software Update client to a non-default server

Mac clients can be pointed to a catalog file other than the default via:
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL -string "http://appleupdate.centenary.usyd.edu.au:8088/index.sucatalog"
if the address given ends in '/' the update client can automatically append the index.sucatalog. The client is quite happy being pointed to a server running on tcp/80 rather than tcp/8088.

Alternatively, if you control your network -- you can use a web proxy server redirect, or a DNS static entry pointed locally for swscan.apple.com and swcatalog.apple.com (taking care that your mirror server can still get out to the real server).
The benefit of this mechanism is that no client change is required, this is perhaps desirable if personally owned student laptops hang out on your laptop and you don't want to change every client. (if any of your Internet charge is per GB this is a happy thing to do!)
You only need to catch the request for the .sucatalog files, nothing will be downloaded from swcdn.apple.com unless pointed that way by the .sucatalog file.

Apple Software Update server

The Apple Software Update server is merely an instance of Apache serving up a mirror of what is available at swscan.apple.com / swcatalog.apple.com / swcdn.apple.com. In default configuration it runs on port tcp/8088. To sync the updates with the Apple servers a separate process -- /usr/sbin/swupd_syncd is run.

The operation of swupd_syncd differs between 10.4 and 10.5 server:

10.4: downloads two files
- http://swscan.apple.com/content/catalogs/index-1.sucatalog
- http://swscan.apple.com/content/catalogs/revocations.sucatalog
Thus it is mirroring exactly the index-1.sucatalog that the 10.4 clients would ordinarily retrieve. It also tries to download a revocations.sucatalog file (it has always returned a 404 error when I have sucked it down).
10.5: downloads a single control file:
http://swscan.apple.com/content/meta/mirror-config-1.plist
which currently lists two catalogs to mirror:
- http://swscan.apple.com/content/catalogs/index.sucatalog
- http://swscan.apple.com/content/catalogs/others/index-windows-1.sucatalog
index.sucatalog is a merge of all updates relevant to either 10.4 or 10.5 clients.

Subsequent to downloading the .sucatalog files swupd_syncd mirrors all the URLs listed inside the .sucatalog file (dependent on how you have configured it in ServerAdmin)

Alternative for serving the updates

If you do not want any control of what updates are enabled a script that simply grabs the .sucatalog files and mirrors the contents is a robust replacement to the Apple offering. (and can be run off a beefy linux/unix mirroring server if you are a big uni and have such a thing)

It is a tiny bit more work if you want control over which updates are becoming enabled. (work I haven't done because I don't really want nor need that)

The various catalog files

10.5 client: http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog
10.4 client: http://swscan.apple.com/content/catalogs/index-1.sucatalog
10.5 Apple update server (should contain the updates for both 10.5 and 10.4):
http://swscan.apple.com/content/catalogs/index.sucatalog
which at the present time is identical to index-leopard.merged-1.sucatalog
Windows client: http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog