Yes that's exactly what they are up to. They change all the updates including those from the past.
I took a full set of what they had when the end version was 146 and also tried to get a few indexed on the Wayback machine to prove this without it having to be my say so.
The difference this time is the digests are different. I haven't taken a full set yet but I think all the digests will be the same across the updates. I also need to see if the version number is included in the digest hash or not, the code shows this but I haven't looked at it yet.
What Apple may be trying to do is to reset every Mac to it's seed database and are cycling through digests that match the seeds of the different databases that come with different macOS version installations. We might see a new empty update with a different digest let's say every 2 weeks (to give time for machines to see them), cycling through different seed db digests.
Perhaps they were working their way back through the OS versions but have figured that going forward from High Sierra is a better approach given how High Sierra is susceptible to this problem here. I don't think the seed dbs change between point versions of the OS but I haven't looked as I don't have any old install images other than the final ones of each non current major version.
The problem with this theory is they could perhaps do this by sending a deliberately bad update which might be easier.
I don't have the full protocol including digest checks, database reseeding etc mapped out in my head yet as I've only really done a half-baked reading of the source code. Though it's all in there and possible to figure it out.
My other theory from yesterday was that non incremental updates have always been broken and the update generation code was applying these in a broken way to a database server side used only for this purpose (so not breaking the host machine in any way), and then sending out digests for the broken database. They may have fixed full updates at that end and so now the digests will be that of a correct database rather than a broken one. Though if all the digests are the same across increments that would be weird unless increments did nothing. This is why my replaying seed db digests every couple of weeks came to me as an idea of what might be going on this morning whilst in the shower.
Whatever they are up to I'm convinced they are trying to clean up a mess that is bigger than the problem here, but doing so without patching any code but rather being a little liberal with their own protocol to get to the end point they want.
Note that another way to reset that I spotted from the source code.
- sudo touch /Library/Keychains/crls/.valid_replace
- reboot
This will make trustd reseed the database for you.
It does look though that for the issue here in this thread that Apple have done what they needed to do. So further investigation will just be to get hints of what the bigger picture might have been and also just to understand the mechanism out of interest. Given what it is, this mechanism is quite important to the security of many computing devices in the world and really there should be people outside of Apple that understand it IMHO.