So it appears that the steps to download the map file are:
1) Download the "Map Downloader" utility
2) Click on the "DOWNLOAD MAP" link in the "Jaguar Shop" web site
The "Map Downloader" utility is registered in Windows as the application handler for the file type, which is simply metadata that the "Map Downloader" utility needs to connect and download. Because apparently downloading files over the Internet is something that must be left to the professionals. God forbid Jaguar should let your web browser do it. But it's cool if your web browser downloads the app needed to download the map files.
Snark aside, what I think is happening is that the "Map Downloader" app attempts to "lock" what's downloaded to your vehicle by generating an update.xml file with your car's VIN number in it. They could have just done that server-side, but that would need to involve technical competence. Instead they appear to be pushing secret encryption keys to the client's computer and asking the client's computer to "bind" the generated map files to the client's car via the VIN.
3) "Map Downloader" app launches and downloads the files.
The downloaded files are put into a directory named "HereV1" under the root of your FAT32-formatted USB drive.
There's an "update.xml" metadata file that describes all the map segments (a.k.a. "regions"). Because we're still stuck in the 90's when it comes to Jaguar map updates, they're using the obsolete (and trivially exploitable) MD5 hash to validate the map segments. There's a segment of that file with your VIN in it:
(I substituted "ABC123" for my own car's VIN for my privacy.)
I bet this is a poor-man's "Digital Restrictions Management" (DRM) attempt on Jaguar's part, so you can't trivially plug your USB drive into another car and get the map, unless you're paying for a subscription.
Of course changing that VIN may very well impact the "applicationConfiguration" MD5 hash, which would render a modified update.xml file unusable since the hashes wouldn't match. But the good news is that they're using MD5, which has off-the-shelf tools for generating collisions: https://github.com/cr-marcstevens/hashclash
The entire file does contain a standards-based XML digital signature using the SHA-1 hash, which is still vulnerable to collision attacks just like MD5, except it's more expensive.
However I wouldn't bother much with cracking the encryption, because it would be much easier to attack the MapDownloader.exe file itself to extract the RSA keys and/or substitute whatever VIN you want in the executable at runtime. If I get bored I might get around to playing around with some execution traces to see how hard that would be.
Regardless, Jaguar really should just be pulling the map files down OTA instead of making us do this whole USB drive dance.