It's probably for the new feature of 10.4.7 that verifies that Apple-featured Dashboard widgets you download are intact when you install them. It's in the documentation for the update.

Posted by: Aaron on June 27, 2006 2:14 PM

It seems to do nothing. The executable file has 20 instructions in its __TEXT section. There are no included symbols. rsrc file is a couple string resources that repeat "Verified Download Plugin" over and over.

Posted by: Ryan Govostes on June 27, 2006 2:55 PM

Ryan, yup, that's exactly what I saw too. Glass I'm not completely insane.

Posted by: Rosyna on June 27, 2006 3:14 PM

It's Apple's answer to Rosyna's Ceiling Cat, and the Trunk Monkey:

http://www.trunkmonkeyad.com/4qt.htm

Both look to guard matters ;)

Posted by: CREB on June 27, 2006 3:40 PM

See also:
/System/Library/CoreServices/VerifiedDownloadAgent.app

Posted by: encro on June 27, 2006 4:18 PM

encro, interesting. That looks like it does something with Dashboard widgets. However, there is no reference to the VerifiedDownloadPlugin.plugin inside that.

This VerifiedDownloadAgent thing appears to have a bunch of widgets and a window. But downloading a dashboard widget doesn't appear to invoke this new agent.

Posted by: Rosyna on June 27, 2006 4:36 PM

From the symbols of the VerifiedDownloadAgent.app, it looks like it's a way for Apple to secure a download (i.e., cryptographically ensure nothing got swapped).

U _SecureDownloadCopyTicketLocation
U _SecureDownloadCopyURLs
U _SecureDownloadCreateWithTicket
U _SecureDownloadFinished
U _SecureDownloadRelease
U _SecureDownloadUpdateWithData

I'm guessing it's for Software Update, but maybe someone should write an APE module for this that pops up an alert whenever one of these functions is called, so we know for sure?

Posted by: Ryan Govostes on June 27, 2006 5:28 PM

But that's from the VerifiedDownloadAgent application, not the VerifiedDownloadPlugin. The latter links to no functions.

In fact, Safari itself supports this new vdownload stuff (application/x-verifieddownload is part of the binary) so there would be no reason for the internet plugin. And because safari itself supports it, why bother to have an Internet Plug-In that does nothing for a feature no other browser can use?

Posted by: Rosyna on June 27, 2006 5:36 PM

Perhaps Safari just checks for the plugin's existence as a courtesy, so that you can delete the plugin file and Safari will disable support for it.

The .app and .plugin seem to be related, since both contain references to "SecureDownloadAgent", at least.

Posted by: Ryan Govostes on June 27, 2006 5:43 PM

Safari itself never looks for that file.

 And if it was used to determine something for another app, why a file? Why a file with a resource file? Why not a defaults setting like everything else?

Posted by: Rosyna on June 27, 2006 5:47 PM

But even with all these comments, can anyone actually do something that causes this VerifiedDownloadAgent to launch?

Posted by: Rosyna on June 27, 2006 5:51 PM

I'm grepping my whole HD for references to it. This will take a while.

Posted by: Ryan Govostes on June 27, 2006 6:06 PM

I'm guessing it's a placeholder for some kind of DRM, or to allow third-party DRM support, possibly for video downloads.

Unfortunately installing the upgrade froze my MBP, damaging launchd & making it unbootable. I'm now doing an archive install on it.

Posted by: Mike Cohen on June 27, 2006 6:48 PM

Hello!!?

Why nobody take time to read release notes? All is wrote black on white in the detailed informations of 10.4.7 update (http://docs.info.apple.com/article.html?artnum=303771):

- You can now verify whether or not a Dashboard widget you downloaded is the same version as a widget featured on (www.apple.com) before installing it.

Posted by: Frédéric Côté on June 27, 2006 9:59 PM

Did you read the comments here? The VerifiedDownloadPlugin does not do what you suggest it does. It does nothing and seems to have no purpose other than simply existing.

Before commenting about people not reading the release notes, please thoroughly read what comments are being made.

Posted by: Rosyna on June 27, 2006 10:27 PM

VerifiedDownloadAgent's Info.plist lists a vdownload colon-slash-slash schema (wtf, Movable Type, make me type it out why don't you). Safari won't let you use them, but if you open up Terminal and enter "open vdownload[COLON-SLASH-SLASH]google[DOT]com" it will pop open a Verified Downloads window.

I can't find a URL that it will actually try to download, though. Not like Movable Type would let me post it here if I did.

Posted by: Ryan Govostes on June 27, 2006 10:47 PM

Yes, MT hates you. (In all seriousness it's due to the massive amount of spam this blog receives).

But yeah, VerifiedDownloadAgent explicitly mentions Dashboard in it. However, it still doesn't seem to say what the fuzzy VerifiedDownloadPlugin is for.

Posted by: Rosyna on June 27, 2006 10:53 PM

I'm not very familiar with Quartz Composer itself, but for me it looks like a new potential security hole too. Some advanced QC functions seem to be disabled when a .qtz is loaded from a server, but… I don't like it.

Posted by: Sebastian Siedentopf on June 28, 2006 9:39 AM

The code in the internet plugin (in the __TEXT section) is setting up two function pointers to dynamically relocated (or dynamically generated) code. See Listing 2 on this page for a commented example.

The __DATA section contains what I think are two dummy words that are replaced at runtime with branches to the new locations, and a third dummy word that is replaced with a data pointer.

When executed, the code will figure out the position-dependent memory location of the word that's position-independently located at 0x1004 (the first word of the data section) and jump to it with $r12 pointing to the dummy data word. The second function does the same, but uses the second word of the data section and has no parameter.

In other words, here's the __DATA section:
struct {
  void *func1Parameter;
  void * (*func1)();
  void * (*func2)();
};

I'd guess that the use of all of this is to allow VerifiedDownloadAgent to be used from within the same application context as Safari.

Posted by: Jason Harris on June 28, 2006 10:38 AM

Jason, that still seems to fit under the "do nothing" category. I say this just because the plugin itself doesn't appear to have a standard entry point. And it never calls anything.

The other thing being that I can't seem to find any examples of the verifieddownloadagent being launched for anything. If I could find an actual example of it being used... I also can't find any external references to the VerifedDownloadPlugin being used for anything.

Just one example...

Posted by: Rosyna on June 28, 2006 3:09 PM

Damned MT making me do this the hard way...

Okay, how's this? If you surf here in Safari and then click the link, you'll get a message in your Download window saying that the download is corrupt. Alternately, if you control-click that link and copy it, and then paste it into the VerifiedDownloadAgent window, it will try to download it there and will present the same error message. Alternately again, if you drag the link to the desktop and then double-click the file there, it'll open in the VerifiedDownloadAgent window as well.

I assume that the plugin is what's allowing the code from VerifiedDownloadAgent to live inside of Safari's download window.

(Incidentally, the file I linked is actually being downloaded and then the data is being passed to something called SecureDownloadCreateWithTicket that lives in Security.framework, which is where the error occurs. The file contains an html "Hello World!".)

Posted by: Jason Harris on June 28, 2006 4:53 PM

Jason, but what's that have to do with the VerifiedDownloadPlugin? I ask this because deleting the plugin and relaunching safari, then downloading that file has the same exact outcome of showing "Download Corrupted". So the existence of VerifiedDownloadPlugin isn't changing the outcome.

Posted by: Rosyna on June 28, 2006 4:58 PM

I guess nothing then. I thought the plugin was the mechanism by which the Agent was embedding into Safari.

Posted by: Jason Harris on June 28, 2006 5:14 PM

How odd. The Security framework makes reference to a DTD at http://www.apple.com/2006/SecureDownload/1 however this does not yet exist.

Compare this to a DTD that does exist at http://www.apple.com/DTDs/PropertyList-1.0.dtd

Posted by: Rosyna on June 28, 2006 5:52 PM

Seems I misread. the SecureDownload URL isn't a DTD url, it's an XML namespace so it doesn't have to exist. My bad.

Posted by: Rosyna on June 30, 2006 5:37 PM

"people that are naturally paranoid (like those running as non-admin with the mistaken idea that it protects you from something that running as admin (but no root) on OS X doesn't)"

like writing in the /Applications folder without sudo kicking in ?

I am a unix guy first, and run everything under an unprivileged id, so maybe I'm mistaken and you could develop your point. I'd be curious, no irony here.

Thanks.

Posted by: David Morel on July 11, 2006 1:09 PM

David, because it offers no extra protection whatsoever. Being admin and not root means you're already prompted whenever something done to the system that could be disastrous is attempted. If you wan to protect the /Applications folder for some reason, then just turn off write for the admin use.

 sudo chmod g-w /Applications

But note that anything you install as non-admin by drag and dropping it into the /Applications folder will still be owned by the user that dragged and dropped it in there. Applications such as OmniWeb and Quicksilver, for example.

Posted by: Rosyna on July 11, 2006 1:17 PM

I wrote something about this needless paranoia and attack of Linux nerds/privacy freaks (in negative way) to Usenet comp.sys.mac.system and got attacked of course.

I gave the original in URL field of mine, you can see what kind of response I got if you click my name.

I am pasting some parts of it:

"Just like poor shareware authors searching for their pirated serials
all over the web daily (to disable them) they hang in some "weird
sites" and "weird communities".

They get some "tips" and see a "potential risk" waiting to create an
argameddon which may result in non-reversible harm to the image they
created since '84. It could be a single word/sentence from some
anonymous guy saying "heh, dashboard... Lets see what happens when I
compile this thing" "

"This kind of paranoia made computer industry 5 years back from what
should it be today. Even game companies can't get their crash reports,
mission critical software as advanced system utilities can't check for
their critical updates, no small shareware author have clue what
hardware/OS their majority of userbase uses as they can't hire GALLUP
like companies to check. "

I like my Quad Mac, I like how OS X works but I can't stand to the loud nerd no life ex-Linux people trying to change how Macintosh should work.

We have seen what kind of results it produces since linux 1.0.

I really care about my privacy but I advocate "real" stuff like secure IMAP/POP3/SMTP logins, encrypted mail, an open way to certify OS X parts/applications.

Posted by: Ilgaz on July 16, 2006 2:55 AM

Single note, I promise: I think most of advanced coders doesn't use a "childish" thing as Dashboard so naturally they really don't know the huge power user gives to Dashboard.

Think a bit about Dashboard, where dashboard modules run in and what they can "see" and "tell".

You will understand where that rushed update come from.

Posted by: Ilgaz on July 16, 2006 2:59 AM

Ilgaz,

I hope you realize that the last comment you left is the worst english I have ever tried to read in my entire life.

Posted by: Dan on August 1, 2006 9:03 AM

Dear Dan,

I am not proud of my english but I am proud that I am not some nutcase who thinks their vendor would spy on them on a hardware and software combination named "macintosh" which he/she paid.

I am also glad that Unsanity started to ignore 1% of community named "privacy freaks" or "nerds" and added some self update check to their advanced utilities resulting in favour of 99% of "normal", "non foil head" people named as "paying customers".

Thanks to Apple taking the right step forward. Nobody should be able to come up with a security scandal in these times while Apple share finally rising to some notable levels.

Posted by: Ilgaz on August 1, 2006 10:15 AM

Here's the story on "VerifiedDownloadPlugin.plugin" from
www.red-sweater.com/blog/153/apple-phones-home-too
---------------------
Apple Phones Home, Too
July 3rd, 2006
Lately I’ve heard a lot on technical podcasts about the public outrage over “Microsoft Genuine Advantage” and the fact that it “phones home” every day.

Apple released Mac OS X 10.4.7 last week, and ever since I installed it, I’ve been noticing Apple’s own modest home phoning behavior. In this case it’s ostensibly to provide users with the opportunity to check whether the Dashboard Widgets you download are identical to ones featured on Apple’s site. Sort of a security debriefing, I guess. From the 10.4.7 release notes:

You can now verify whether or not a Dashboard widget you downloaded is the same version as a widget featured on (www.apple.com) before installing it.

The problem is this feature popped up without my permission, and there’s no obvious way for me to turn it off. This is how companies, even fairly trustable ones (IMHO) like Apple, make users paranoid and suspicious of them. This phoning home is done by a new process called “dashboardadvisoryd.” I don’t know the exact schedule, but it appears to be very frequent: twice today in a seven hour period. If I didn’t run Little Snitch I wouldn’t have any idea this was going on, because Apple made no point of informing me of the new feature and what it would entail.

One of the nice things about Little Snitch is it gives you a chance to “perk up your ears” to what’s being said between the client and server. When I see an unusual connection being requested, I often allow it to take place, but not before switching to the Terminal and starting up tcpdump so I can scrutinize the traffic. I figure if anybody is going to be chatting behind my back I at least want to know the gist of what they’re saying.

So far as I can tell, the activity from Apple is in this case pretty tame. At least so far. Every time it phones home, it requests the following two URLs:

http://www.apple.com/widgets/widgetadvisory
http://www.apple.com/widgets/parser.info

The first appears to be a public key or something. The second appears to be empty but its header values may convey something of interest to Apple’s client.

I can’t see that anything at all is being sent back to Apple, but that’s sort of not the point. The mere act of “checking in” lets Apple know that I’m here and I’m running 10.4.7. They didn’t ask my permission to start making this regular checkin, and I’m not even sure what benefit I’m going to be getting out of allowing it.

In an era when consumers are being encouraged to take responsibility for their own safety in the interconnected world, Apple and others should respect the boundaries of our “digital house” by at least keeping us in the loop about what is being done on our behalf. I can find no documentation about what Apple is choosing to send and receive on a regular basis from my Mac.

Keep me in the loop, Apple. And if I’m not comfortable with it, give me an option (short of Little Snitch) for turning it off. It’s my computer, after all.

Posted by: Roger Pelizzari on September 23, 2006 10:02 AM