Question about the version check code: what purpose does the public key serve?

[jfly]

In #787 (comment), I learned that:

TNoodle has an RSA key pair that is used when "phoning home" to verify that Delegates aren't running self-built / self-compiled versions of TNoodle

I don't see how introducing a key pair prevents delegates from running self-build / self-compiled versions of TNoodle. I have read through the various PRs that introduced this:

• The TNoodle change(s): Activate release signing via Gradle #621 (specifically 1f9c56c)
• Adding the public key to the WCA website regulations-data branch: Add TNoodle public RSA key worldcubeassociation.org#5748
• Exposing the public key in the /api/v0/scramble-program endpoint: Load TNoodle public key and display bytes in versioning API worldcubeassociation.org#5749

None of these PRs help me understand why TNoodle is doing all this, though.

The pre-existing version check was enough to remind intentioned delegates that they're using an outdated version of TNoodle or even a locally-built version of it. What additional benefit does this keypair introduce?

(For the record, I'm aware that none of this to protects us from ill-intentioned people/delegates. If I'm trying to trick a delegate into using my tweaked version of TNoodle, it has always (and still is) possible for me to me build a TNoodle jar file that doesn't print any version warnings: I can tweak my local build to include an allowed version number and public key from https://www.worldcubeassociation.org/api/v0/scramble-program, or I could even just build a version of TNoodle with the version check removed. And if I'm a delegate, nothing truly forces me to use TNoodle's scrambles even pay any attention to the version warning in the first place.)

This all smells like (pretty harmless) security theater to me, but I'm quite curious if I'm missing something. Thanks in advance!

[gregorbg]

You are right. In essence, anything TNoodle does can be labelled "pretty harmless security theater". Checking the key can be circumvented by removing the checks from the code and then compiling a version, but so can the API calls that make sure you're running an up-to-date version of the app.

So yes, it's probably silly from an auditing point of view. But it still adds a "psychological" layer of security and given the fact that we're considering replacing TNoodle altogether, I'd rather not dive into this matter too deep.

[jfly]

Sounds good, thanks.

I'd be interested to learn more about the TNoodle replacement plan if there's a write up.

[gregorbg]

Not a full write-up, but basically we intend to bring https:/cubing/twsearch to a state where it can generate scrambles for all WCA Puzzles, then compile it down to WASM and use it in the website so that scrambles are generated as part of the online competition application/creation process.