No it doesn’t. It fork/executes the plugin in a different process AND verifies the signature. If an attacker can replace the binary and do things with it, you already have a much larger problem. Even if they do, all it does is pass JSON around, it doesn’t allow you to execute anything from within iTerm (afaik)
> It can be called by any process
It’s not like they were storing your OpenAI API keys in some encrypted format in the first place. If you’re that paranoid, you aren’t gonna be using the AI feature in the first place.
One valid concern I can think of is TCC escalation on MacOS since fork/exec is executed in the context of iTerm. I don’t know if signatures are verified before or after running but the binary probably won’t even run without being signed by a paying Apple Developer anyways.
Edit: commenting on the change, I think it was just fine as is. AI is annoying but it was off by default. Based on the author’s comments, they don’t seem to intend on pushing it in people’s face, just something fun and optional
That guy in general was clearly just trolling. If you go further up, you can see that everyone's mostly happy with the solution to have a separate plugin for this but him. His first reason was that he just didn't want to see the other side win because it makes him "feel like a 2nd class community member." Then he switched his argument to that the new method would "have security concerns," again just to keep the whole thing going. It's terrible that the dev has to deal with this kind of thing.
> I don’t know if signatures are verified before or after running but the binary probably won’t even run without being signed by a paying Apple Developer anyways.
It's before. You can code sign and verify macOS binaries with any certificate you wish, including a self-signed one (useful in case you want your private iTerm fork). Note the plugin should be signed with the same certificate as the iTerm app [1], just using a paid account won't work.
> Increases the attack surface
No it doesn’t. It fork/executes the plugin in a different process AND verifies the signature. If an attacker can replace the binary and do things with it, you already have a much larger problem. Even if they do, all it does is pass JSON around, it doesn’t allow you to execute anything from within iTerm (afaik)
> It can be called by any process
It’s not like they were storing your OpenAI API keys in some encrypted format in the first place. If you’re that paranoid, you aren’t gonna be using the AI feature in the first place.
One valid concern I can think of is TCC escalation on MacOS since fork/exec is executed in the context of iTerm. I don’t know if signatures are verified before or after running but the binary probably won’t even run without being signed by a paying Apple Developer anyways.
Edit: commenting on the change, I think it was just fine as is. AI is annoying but it was off by default. Based on the author’s comments, they don’t seem to intend on pushing it in people’s face, just something fun and optional