Supply-chain trust: verified binaries
A core promise of AtherOps is that a tampered or corrupt collector binary is never executed on your host. This is enforced by a signed version manifest and a SHA-256 check that happens before anything runs.
The manifest is the source of truth
The version manifest lists, per tool and per
os/arch, the download URL and the expected SHA-256. Both the installer and
the running agent consume the same manifest.
Verify before execute
Whenever a binary is downloaded (at install time or during a remote upgrade):
- The artifact is downloaded to a temporary file (never the final path).
- Its SHA-256 is computed and compared to the manifest value.
- On a mismatch, the file is deleted and nothing is installed, extracted, or
run. The installer exits with code
2; the agent keeps running its current, already-verified collector. - Only a binary that passed the check is made runnable.
You see this on a clean install:
[atherops] Verifying sha256…
[atherops] OK sha256 matches otelcol-contrib-linux_amd64
And on a mismatch (installer):
[atherops] ERROR sha256 MISMATCH — otelcol-contrib-linux_amd64
expected : e3b0c44298fc1c149afb...
got : 9f86d081884c7d659a2f...
INSTALL ABORTED. The downloaded file does not match the manifest checksum.
The file has been removed. No binary was installed and no service was started.
During a remote upgrade the agent logs instead:
level=error msg="collector upgrade aborted: sha256 mismatch"
Versioned, rollback-friendly layout
Collector binaries install under a versioned directory with a stable
current symlink:
/var/lib/atherops/otelcol/
0.102.0/otelcol-contrib
0.103.0/otelcol-contrib
current -> 0.103.0
You can see exactly which version is on disk, and the symlink is repointed atomically when a new version is activated.
What a mismatch means
A SHA-256 mismatch is either a corrupt/partial download or a tampering event
(MITM / CDN compromise). The safe behavior (abort and run nothing) is the same
either way. Retry once; if it persists, treat it as a security incident and
contact security@atherops.com. Never run the binary manually.