All executables in the Installer package for ZeroTier One are signed in accordance with Apple’s policies
$ codesign -v -v -R="notarized" MacEthernetTapAgent
MacEthernetTapAgent: valid on disk
MacEthernetTapAgent: satisfies its Designated Requirement
MacEthernetTapAgent: explicit requirement satisfied
$ codesign -v -v -R="notarized" zerotier-one
zerotier-one: valid on disk
zerotier-one: satisfies its Designated Requirement
zerotier-one: explicit requirement satisfied
$ codesign -v -v -R="notarized" /Applications/ZeroTier.app
/Applications/ZeroTier.app: valid on disk
/Applications/ZeroTier.app: satisfies its Designated Requirement
/Applications/ZeroTier.app: explicit requirement satisfied
As to the scripts. They’re there for utility purposes. Simply being owned by
root does not make them a security issue. If any of the calls in the script requires root access to execute, the user executing it will need root/sudo access before they will be executed anyway.
The launch item is from
$ cat /Library/Application\ Support/ZeroTier/One/launch.sh
export PATH="/Library/Application Support/ZeroTier/One:/bin:/usr/bin:/sbin:/usr/sbin"
/usr/bin/killall MacEthernetTapAgent >>/dev/null 2>&1
Created from the launchd config file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
While perhaps not ideal, I’m unaware of any ways to sign shell scripts on macOS. Apple does not require nor enforce that shell scripts be signed either.
As to ZeroTier One always running as root: as you suspect, it must run as root to modify network settings on the machine. It also runs as root/administrator on *BSD, and Windows for the same reasons. On Linux it’s initially launched as root but Linux has systems in place for dropping privileges. Unfortunately, macOS has no such ability so we cannot do any more while still keeping access to modify network settings.
The UI itself does not run as
root, but it’s also just an interface to the service API running on the
zerotier-one background agent. Quitting the UI does not stop the background agent and this is by design.
Using a method similar to the iOS/ipadOS apps is less than desirable as well as Apple’s NetworkExtension framework is extraordinarily limited. We use it on iOS and iPadOS because we have no other choice, but it also prevents a lot of features from being used on them; multicast, connecting to multiple networks simultaneously, L2 bridging, amongst others. So while it may technically be possible to use the NetworkExtension framework on macOS, users would loose many features they’ve come to rely on over the years.
If your curious, we did have a protocol audit done by Trail of Bits a few years back. You can find the audit in their GitHub Repo. You can also find our Security issue reporting policy here. In the 10+ years ZeroTier has been around, there has never been an exploit reported against the background agent.