0.3.4: bump release version

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>

API.md

@@ -0,0 +1,57 @@
+### Get list of binaries
+
+#### Request
+
+```http request
+GET / HTTP/1.1
+```
+
+#### Example response
+
+```
+- hello (platforms: ["Linux-aarch64", "Darwin-arm64", "Darwin-x86_64"])
+```
+
+### Get script for specific binary (suitable for `curl | sh` syntax)
+
+This script will determine platform and arch and download necessary binary (and check hashsum if `sha256sum` binary is present in `$PATH`).
+
+#### Request
+
+```http request
+GET /<BIN> HTTP/1.1
+```
+
+### Get binary for specific platform
+
+#### Request
+
+```http request
+GET /bin/<BIN>/<PLATFORM>/<ARCH> HTTP/1.1
+```
+
+### Get ed25519 signature
+
+#### Request
+
+```http request
+GET /bin/<BIN>/<PLATFORM>/<ARCH>/sign HTTP/1.1
+```
+
+### Get manifest
+
+Manifest is a file, that contains ED25519 public key and SHA256sums list
+
+#### Request
+
+```http request
+GET /runner/manifest HTTP/1.1
+```
+
+### Get binary runner
+
+#### Request
+
+```http request
+GET /runner/<runner> HTTP/1.1
+```

Cargo.toml

@@ -1,17 +1,20 @@
+
 [package]
 name = "binhost"
-version = "0.2.2"
+version = "0.3.4"
 edition = "2021"
 license = "MIT"
 repository = "https://github.com/ivabus/binhost"
 description = "HTTP server to easily serve files"
 
 [dependencies]
-clap = { version = "4.4.11", features = ["derive"] }
+clap = { version = "4.5.3", features = ["derive"] }
 rocket = "0.5.0"
-serde = { version = "1.0.193", features = ["derive"] }
+serde = { version = "1.0", features = ["derive"] }
-sha2 = { version = "0.10.8", optional = true }
+sha2 = { version = "0.10" }
-
+ed25519-compact = { version = "2.1.1", default-features = false, features = [
-[features]
+    "random",
-default = [ "sha256" ]
+    "self-verify",
-sha256 = [ "dep:sha2" ]
+    "std",
+] }
+once_cell = "1.19"

README.md

@@ -1,6 +1,6 @@
 # BinHost
 
-> HTTP server to easily serve (prebuilt) binaries for any (UNIX-like) platform
+> HTTP server to easily serve (prebuilt) binaries for any (UNIX-like) platform with authenticity check
 
 ## Installation
 
@@ -33,55 +33,53 @@ bin
             └── hello
 ```
 
+#### Runners
+
+Runner is a (necessary) subprogram, that checks ED25519 signature of a binary file and needs to be statically compiled for every platform, that could use binaries from `binhost` server. 
+
+Directory, passed to `binhost` `--runners-dir` option (defaults to `./runners`) should look like (for `Linux-x86_64`, `Linux-aarch64` and `Darwin-arm64` compiled runners)
+
+```tree
+runners
+├── runner-Darwin-arm64
+├── runner-Linux-aarch64
+└── runner-Linux-x86_64
+```
+
 ## Client usage
 
-### Get available binaries
+### Execute specific binary <bin> with manifest validity check
 
-#### Request
+Manifest validity check provides a fully-secured binary distribution chain.
 
-```http request
+```shell
-GET / HTTP/1.1
+curl ADDRESS:PORT/<bin> | KEY=... sh
 ```
 
-#### Example response
+`KEY` first few symbols from hex representation of SHA256 sum of manifest (printed to stdout on `binhost` startup).
 
-```
+Additional arguments are set with `ARGS` environment variable
-- hello (platforms: ["Linux-aarch64", "Darwin-arm64", "Darwin-x86_64"])
+
+Only this option should be considered as secure.
+
+### Execute specific binary <bin> without validity check
+
+```shell
+curl ADDRESS:PORT/<bin> | sh
 ```
 
-### Get script for specific binary (suitable for `curl | sh` syntax)
+### Download and reuse script
 
-This script will determine platform and arch and download necessary binary (and check hashsum if `sha256sum` binary is present in `$PATH`).
+```shell
-
+curl ADDRESS:PORT/<bin> -o script.sh
-#### Request
+./script.sh # Execute preloaded bin configuration
-
+BIN=<newbin> ./script.sh # Execute newbin (download)
-```http request
+BIN=<newbin> EXTERNAL_ADDRESS=<newaddress> ./script.sh # Execute newbin from newaddress
-GET /<BIN> HTTP/1.1
 ```
 
-### Get binary for specific platform
+### API
 
-#### Request
+See full HTTP API in [API.md](./API.md)
-
-```http request
-GET /bin/<BIN>/<PLATFORM>/<ARCH> HTTP/1.1
-```
-
-### Get sha256 hash of binary for specific platform
-
-Only with "sha256" feature (recalculates hash on each request, may be bad on large files or lots of requests)
-
-#### Request
-
-```http request
-GET /bin/<BIN>/<PLATFORM>/<ARCH>/sha256 HTTP/1.1
-```
-
-#### Example response
-
-```text
-a5d1fba1c28b60038fb1008a3c482b4119070a537af86a05046dedbe8f85e18d  hello
-```
 
 ## License
 

runner/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "runner"
+version = "0.3.4"
+edition = "2021"
+
+[dependencies]
+libc = { version = "0.2.152", default-features = false }
+ed25519-compact = { version = "2.0.6", default-features = false }
+numtoa = "0.2.4"
+
+# Reducing size as much as possible
+[profile.release]
+strip = true
+opt-level = "s"
+lto = "fat"
+panic = "abort"
+codegen-units = 1
+
+[profile.dev]
+# Doesn't build on my machine without
+opt-level = 1

runner/src/main.rs

@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: MIT
+// "Runner" is written in no_std Rust for the smaller executable size: ~49KiB (Darwin arm64)
+
+#![no_main]
+#![no_std]
+
+use core::slice::from_raw_parts;
+use ed25519_compact::{PublicKey, Signature};
+use libc::{c_char, c_int, c_void, exit, open, printf, read, O_RDONLY};
+
+// 1 KiB seems fine
+const BUFFER_SIZE: usize = 1024;
+const PUBKEY_LEN: usize = PublicKey::BYTES;
+const SIGNATURE_LEN: usize = Signature::BYTES;
+
+#[allow(clippy::missing_safety_doc)]
+#[no_mangle]
+pub unsafe extern "C" fn main(_argc: i32, _argv: *const *const c_char) -> i32 {
+	printf("Starting runner\n\0".as_bytes().as_ptr() as *const c_char);
+
+	let mut buff_public_key = [0_u8; PUBKEY_LEN];
+	read(
+		open("public_key\0".as_bytes().as_ptr() as *const c_char, O_RDONLY),
+		buff_public_key.as_mut_ptr() as *mut c_void,
+		PUBKEY_LEN,
+	);
+	let public_key = PublicKey::new(buff_public_key);
+
+	let mut signature = [0_u8; SIGNATURE_LEN];
+	read(
+		open("signature\0".as_bytes().as_ptr() as *const c_char, O_RDONLY),
+		signature.as_mut_ptr() as *mut c_void,
+		SIGNATURE_LEN,
+	);
+
+	let arg = from_raw_parts(_argv, _argc as usize)[1]; // Getting path to binary
+	let binary_fd = open(arg, O_RDONLY);
+	let mut buffer = [0u8; BUFFER_SIZE];
+	let mut state = public_key.verify_incremental(&Signature::new(signature)).unwrap();
+	loop {
+		let bytes_read: usize =
+			read(binary_fd, buffer.as_mut_ptr() as *mut c_void, BUFFER_SIZE) as usize;
+		state.absorb(&buffer[0..bytes_read]);
+		if bytes_read != BUFFER_SIZE {
+			break;
+		}
+	}
+
+	printf("Signature: \0".as_bytes().as_ptr() as *const c_char);
+	if state.verify().is_ok() {
+		printf("OK\n\0".as_bytes().as_ptr() as *const c_char);
+	} else {
+		printf("Bad\n\0".as_bytes().as_ptr() as *const c_char);
+		return 2;
+	}
+	0
+}
+
+#[panic_handler]
+fn panic(info: &core::panic::PanicInfo) -> ! {
+	use numtoa::NumToA;
+	let mut buff = [0u8; 8];
+	unsafe {
+		printf("Panicked\0".as_bytes().as_ptr() as *const c_char);
+		if let Some(location) = info.location() {
+			printf(" at \0".as_bytes().as_ptr() as *const c_char);
+			location.line().numtoa(10, &mut buff).iter().for_each(|ch| {
+				libc::putchar(*ch as c_int);
+			});
+			printf(":\0".as_bytes().as_ptr() as *const c_char);
+			location.column().numtoa(10, &mut buff).iter().for_each(|ch| {
+				libc::putchar(*ch as c_int);
+			});
+			printf(" in \0".as_bytes().as_ptr() as *const c_char);
+			location.file().chars().for_each(|ch| {
+				libc::putchar(ch as c_int);
+			});
+		}
+		libc::putchar(b'\n' as c_int);
+		exit(3)
+	}
+}

src/main.rs

@@ -1,45 +1,86 @@
-mod structs;
+// SPDX-License-Identifier: MIT
-use structs::*;
 
-use clap::Parser;
+#![forbid(unsafe_code)]
-use rocket::figment::Figment;
-use rocket::fs::NamedFile;
-use std::collections::HashMap;
-use std::time::Instant;
 
 #[macro_use]
 extern crate rocket;
 
+use std::collections::HashMap;
+use std::time::Instant;
+
+use clap::Parser;
+use ed25519_compact::{KeyPair, Noise};
+use once_cell::sync::Lazy;
+use rocket::figment::Figment;
+use rocket::fs::{FileServer, NamedFile};
 use rocket::http::Status;
 use rocket::response::content::RawText;
+use rocket::tokio::sync::RwLock;
+use sha2::digest::FixedOutput;
+use sha2::Digest;
 
-static mut BINS: Option<(HashMap<String, Bin>, Instant)> = None;
+use structs::*;
 
+mod structs;
+
+static BINS: Lazy<RwLock<(HashMap<String, Bin>, Instant)>> =
+	Lazy::new(|| RwLock::new((get_bins(&Args::parse()), Instant::now())));
+static KEYPAIR: Lazy<KeyPair> = Lazy::new(|| {
+	println!("Generating keypair");
+	let kp = KeyPair::generate();
+
+	println!(
+		"Keypair generated. Public key: {}",
+		kp.pk.iter().map(|x| format!("{:x}", x)).collect::<Vec<String>>().join("")
+	);
+	kp
+});
+static MANIFEST: Lazy<Vec<u8>> = Lazy::new(|| {
+	let args = Args::parse();
+
+	println!("Generating manifest");
+	let mut manifest: Vec<u8> = Vec::new();
+	let mut bin_pub_key: Vec<u8> = KEYPAIR.pk.to_vec();
+	manifest.append(&mut bin_pub_key);
+	let mut runners = 0;
+
+	for element in std::fs::read_dir(args.runners_dir).unwrap() {
+		let en = element.unwrap();
+		if en.path().is_file() {
+			let mut hasher = sha2::Sha256::new();
+			hasher.update(std::fs::read(en.path()).unwrap().as_slice());
+			let mut contents = Vec::from(
+				format!(
+					"{:x}  {}\n",
+					hasher.finalize_fixed(),
+					en.path().file_name().unwrap().to_str().unwrap()
+				)
+				.as_bytes(),
+			);
+			runners += 1;
+			manifest.append(&mut contents);
+		}
+	}
+	let mut hasher = sha2::Sha256::new();
+	hasher.update(&manifest);
+	println!(
+		"Manifest generated with {} runners and SHA256: {:x}",
+		runners,
+		hasher.finalize_fixed()
+	);
+	manifest
+});
 static WEB_SH: &str = include_str!("../web.sh");
 
-#[cfg(feature = "sha256")]
+async fn reload_bins(args: &Args) {
-static HASH_CALCULATION_SH: &str = r#"
+	let (bins, time) = &mut *BINS.write().await;
-if ! which sha256sum > /dev/null; then
+	if (Instant::now() - *time).as_secs() > args.refresh {
-  echo "No \`sha256sum\` command found, continuing without checking" 1>&2
+		*bins = get_bins(args);
-else
+		*time = Instant::now();
-  echo ":: Checking hashsum" 1>&2
-  if ! ($DOWNLOAD_COMMAND {{EXTERNAL_ADDRESS}}/bin/$NAME/$(uname)/$(uname -m)/sha256 $OUTPUT_ARG - | sha256sum -c - > /dev/null); then
-    echo "sha256 is invalid" 1>&2
-    exit 255
-  fi
-fi
-"#;
-#[cfg(not(feature = "sha256"))]
-static HASH_CALCULATION_SH: &str = "";
-
-async fn reload_bins(bins: (&mut HashMap<String, Bin>, &mut Instant), args: &Args) {
-	if (Instant::now() - *bins.1).as_secs() > args.refresh {
-		*bins.0 = get_bins(args).await;
-		*bins.1 = Instant::now();
 	}
 }
 
-async fn get_bins(args: &Args) -> HashMap<String, Bin> {
+fn get_bins(args: &Args) -> HashMap<String, Bin> {
 	let mut bins: HashMap<String, Bin> = HashMap::new();
 	std::fs::read_dir(&args.dir).unwrap().for_each(|entry| {
 		let en = entry.unwrap();
@@ -77,48 +118,63 @@ fn format_platform_list(bin: &Bin) -> String {
 async fn index() -> RawText<String> {
 	let args = Args::parse();
 	let mut ret = String::new();
-	unsafe {
+
-		if let Some((bins, time)) = &mut BINS {
+	let mut hasher = sha2::Sha256::new();
-			reload_bins((bins, time), &args).await;
+	hasher.update(&*MANIFEST);
-			if bins.is_empty() {
+	ret.push_str(&format!("Manifest hashsum: {:x}\n", hasher.finalize_fixed()));
-				return RawText(String::from("No binaries found"));
+
-			}
+	reload_bins(&args).await;
-			for (name, bin) in bins {
+	let (bins, _) = &*BINS.read().await;
-				ret.push_str(&format!(
+
-					"- {} (platforms: {:?})\n",
+	if bins.is_empty() {
-					name,
+		return RawText(String::from("No binaries found"));
-					bin.platforms
-						.iter()
-						.map(|plat| format!("{}-{}", plat.system, plat.arch))
-						.collect::<Vec<String>>()
-				))
-			}
-		}
 	}
+	for (name, bin) in bins {
+		ret.push_str(&format!(
+			"- {} (platforms: {:?})\n",
+			name,
+			bin.platforms
+				.iter()
+				.map(|plat| format!("{}-{}", plat.system, plat.arch))
+				.collect::<Vec<String>>()
+		))
+	}
+
 	RawText(ret)
 }
 
+#[get("/runner/manifest")]
+async fn get_manifest<'a>() -> Vec<u8> {
+	let manifest = &*MANIFEST;
+	manifest.clone()
+}
 #[get("/<bin>")]
 async fn get_script(bin: &str) -> ScriptResponse {
 	let args = Args::parse();
-	unsafe {
+	reload_bins(&args).await;
-		if let Some((bins, time)) = &mut BINS {
+	let (bins, _) = &*BINS.read().await;
-			reload_bins((bins, time), &args).await;
+	match bins.get(bin) {
-			return match bins.get(bin) {
+		None => ScriptResponse::Status(Status::NotFound),
-				None => ScriptResponse::Status(Status::NotFound),
+		Some(bin) => {
-				Some(bin) => {
+			let mut script = String::from(WEB_SH);
-					let mut script = String::from(WEB_SH);
+			script = script
-					script = script
+				.replace("{{NAME}}", &bin.name)
-						.replace("{{HASH_CALCULATION}}", HASH_CALCULATION_SH)
+				.replace("{{PLATFORM_LIST}}", &format_platform_list(bin))
-						.replace("{{NAME}}", &bin.name)
+				.replace("{{EXTERNAL_ADDRESS}}", &args.url);
-						.replace("{{PLATFORM_LIST}}", &format_platform_list(bin))
+			ScriptResponse::Text(RawText(script))
-						.replace("{{EXTERNAL_ADDRESS}}", &args.url);
-					ScriptResponse::Text(RawText(script))
-				}
-			};
 		}
 	}
-	ScriptResponse::Status(Status::NotFound)
+}
+
+#[get("/<bin>/platforms")]
+async fn get_platforms(bin: &str) -> ScriptResponse {
+	let args = Args::parse();
+	reload_bins(&args).await;
+	let (bins, _) = &*BINS.read().await;
+	match bins.get(bin) {
+		None => ScriptResponse::Status(Status::NotFound),
+		Some(bin) => ScriptResponse::Text(RawText(format_platform_list(bin))),
+	}
 }
 
 #[get("/bin/<bin>/<platform>/<arch>")]
@@ -139,44 +195,22 @@ async fn get_binary(bin: &str, platform: &str, arch: &str) -> BinaryResponse {
 	}
 }
 
-#[cfg(feature = "sha256")]
+#[get("/bin/<bin>/<platform>/<arch>/sign")]
-#[get("/bin/<bin>/<platform>/<arch>/sha256")]
+async fn get_binary_sign(bin: &str, platform: &str, arch: &str) -> SignResponse {
-async fn get_binary_hash(bin: &str, platform: &str, arch: &str) -> ScriptResponse {
-	use rocket::tokio::io::AsyncReadExt;
-	use sha2::digest::FixedOutput;
-	use sha2::Digest;
-
 	let args = Args::parse();
-	let file = NamedFile::open(format!(
+	let file = match std::fs::read(format!(
 		"{}/{}/{}/{}/{}",
 		args.dir.file_name().unwrap().to_str().unwrap(),
 		bin,
 		platform,
 		arch,
 		bin
-	))
+	)) {
-	.await;
+		Ok(f) => f,
-
+		Err(_) => return SignResponse::Status(Status::BadRequest),
-	match file {
+	};
-		Ok(mut f) => {
+	let keypair = &*KEYPAIR;
-			let mut hasher = sha2::Sha256::new();
+	SignResponse::Bin(keypair.sk.sign(file.as_slice(), Some(Noise::generate())).as_slice().to_vec())
-			let mut contents: Vec<u8> = vec![];
-			f.read_to_end(&mut contents).await.unwrap();
-			hasher.update(contents);
-			ScriptResponse::Text(RawText(format!(
-				"{:x}  {}",
-				hasher.finalize_fixed(),
-				f.path().file_name().unwrap().to_str().unwrap()
-			)))
-		}
-		Err(_) => ScriptResponse::Status(Status::BadRequest),
-	}
-}
-
-#[cfg(not(feature = "sha256"))]
-#[get("/bin/<_bin>/<_platform>/<_arch>/sha256")]
-async fn get_binary_hash(_bin: &str, _platform: &str, _arch: &str) -> ScriptResponse {
-	ScriptResponse::Status(Status::BadRequest)
 }
 #[launch]
 async fn rocket() -> _ {
@@ -186,13 +220,17 @@ async fn rocket() -> _ {
 		std::process::exit(1);
 	}
 
-	unsafe {
+	let _ = &*BINS.read().await;
-		BINS = Some((get_bins(&args).await, Instant::now()));
+	let _ = &*MANIFEST;
-	}
 
 	let figment = Figment::from(rocket::Config::default())
-		.merge(("ident", "BinHost"))
+		.merge(("ident", "Binhost"))
 		.merge(("port", args.port))
 		.merge(("address", args.address));
-	rocket::custom(figment).mount("/", routes![index, get_script, get_binary, get_binary_hash])
+	rocket::custom(figment)
+		.mount(
+			"/",
+			routes![index, get_manifest, get_script, get_platforms, get_binary, get_binary_sign],
+		)
+		.mount("/runner", FileServer::from("runners"))
 }

src/structs.rs

@@ -12,6 +12,10 @@ pub struct Args {
 	#[arg(long, default_value = "bin")]
 	pub dir: PathBuf,
 
+	/// Directory where runners are contained
+	#[arg(long, default_value = "runners")]
+	pub runners_dir: PathBuf,
+
 	/// Refresh time (in secs)
 	#[arg(long, default_value = "300")]
 	pub refresh: u64,
@@ -52,3 +56,9 @@ pub enum BinaryResponse {
 	Status(Status),
 	Bin(NamedFile),
 }
+
+#[derive(Responder, Clone)]
+pub enum SignResponse {
+	Status(Status),
+	Bin(Vec<u8>),
+}

web.sh

@@ -1,44 +1,127 @@
 #!/bin/sh
 # SPDX-License-Identifier: MIT
-set -e -o pipefail
+set -e
 
-NAME="{{NAME}}"
+print() {
+  echo "$@" >&2
+}
 
-if ! uname > /dev/null; then
+fail() {
-  echo "No \`uname\` command was found, cannot continue" 1>&2
+  print "$@"
   exit 1
+}
+
+requireCommands() {
+  for cmd in "$@"; do
+    if ! command -v "$cmd" > /dev/null 2>&1; then
+      fail "Cannot find required command: $cmd"
+    fi
+  done
+}
+
+requireCommands uname cut dd chmod rm realpath expr
+
+# Finding alternative, but supported sha256sums
+SHA256SUM=""
+SHASUMFLAGS=""
+PLATFORM="$(uname)"
+ARCH="$(uname -m)"
+if command -v sha256sum > /dev/null 2>&1; then
+   SHA256SUM="sha256sum"
+   SHASUMFLAGS="-c hashes --ignore-missing"
+else
+  if command -v sha256 > /dev/null 2>&1; then
+      SHA256SUM="sha256"
+      SHASUMFLAGS="-C hashes runner-$PLATFORM-$ARCH"
+  fi
+  if command -v shasum > /dev/null 2>&1; then
+    SHASUMVER=$(shasum -v | cut -c 1)
+    if [ "$SHASUMVER" -ge 6 ]; then
+      SHA256SUM="shasum -a 256"
+      SHASUMFLAGS="-c hashes --ignore-missing"
+    fi
+  fi
 fi
 
-if ! expr "{{PLATFORM_LIST}}" : "\(.*$(uname)-$(uname -m).*\)" > /dev/null; then
+if [ SHA256SUM = "" ]; then
-  echo Platform $(uname)-$(uname -m) is not supported 1>&2
+    fail "Could not find suitable sha256sum executable"
-  exit 1
 fi
 
+if [ "$(realpath "$SHA256SUM" 2> /dev/null)" = "/bin/busybox" ]; then
+  fail "Busybox sha256sum detected, will not work. Refusing to continue"
+fi
+
+# Script could be used for any binary
+NAME=${BIN:="{{NAME}}"}
+EXTERNAL_ADDRESS=${EXTERNAL_ADDRESS:="{{EXTERNAL_ADDRESS}}"}
 DOWNLOAD_COMMAND="curl"
 OUTPUT_ARG="-o"
 DIR="/tmp/binhost-$NAME-$(date +%s)"
 FILE="$DIR/$NAME"
 
-if ! which curl > /dev/null; then
+if ! command -v curl > /dev/null 2>&1; then
-  if ! which wget > /dev/null; then
+  if ! command -v wget > /dev/null 2>&1; then
-    echo "No curl or wget found, install one and rerun the script" 1>&2
+    fail "No curl or wget found, install one and rerun the script"
-    exit 1
   fi
-  export DOWNLOAD_COMMAND="wget"
+  DOWNLOAD_COMMAND="wget"
-  export OUTPUT_ARG="-O"
+  OUTPUT_ARG="-O"
 fi
 
-mkdir $DIR
+PLATFORM_LIST="{{PLATFORM_LIST}}"
+# Making script truly portable
+if [ ! "{{NAME}}" = $NAME ]; then
+  print ":: Fetching platforms"
+  PLATFORM_LIST=$($DOWNLOAD_COMMAND $EXTERNAL_ADDRESS/$NAME/platforms $OUTPUT_ARG /dev/stdout)
+fi
 
-echo ":: Downloading binary" 1>&2
+if ! expr "$PLATFORM_LIST" : "\(.*$(uname)-$(uname -m).*\)" > /dev/null; then
+  fail "Platform \"$(uname)-$(uname -m)\" is not supported"
+fi
 
-# shellcheck disable=SC1083
+mkdir "$DIR"
-$DOWNLOAD_COMMAND {{EXTERNAL_ADDRESS}}/bin/$NAME/$(uname)/$(uname -m) $OUTPUT_ARG "$FILE"
+cd "$DIR"
+
+print ":: Downloading manifest"
+$DOWNLOAD_COMMAND $EXTERNAL_ADDRESS/runner/manifest $OUTPUT_ARG manifest
+
+MANIFEST_HASHSUM=$(cat manifest | $SHA256SUM)
+
+if [ -n "$KEY" ]; then
+  if [ ! "$KEY" = "$(echo "$MANIFEST_HASHSUM" | cut -c 1-${#KEY})" ]; then
+    fail "Invalid manifest hashsum"
+  fi
+else
+  print "Manifest KEY missing, skipping manifest check"
+fi
+
+print ":: Downloading signature"
+$DOWNLOAD_COMMAND "$EXTERNAL_ADDRESS/bin/$NAME/$PLATFORM/$ARCH/sign" $OUTPUT_ARG signature
+
+dd if=manifest of=public_key count=32 bs=1 2> /dev/null
+dd if=manifest of=hashes skip=32 bs=1 2> /dev/null
+
+print ":: Downloading runner"
+
+$DOWNLOAD_COMMAND "$EXTERNAL_ADDRESS/runner/runner-$PLATFORM-$ARCH" $OUTPUT_ARG "runner-$PLATFORM-$ARCH"
+
+if ! $SHA256SUM $SHASUMFLAGS >&2 ; then
+  fail "Incorrect hashsum of runner"
+fi
+
+chmod +x "runner-$PLATFORM-$ARCH"
+
+print ":: Downloading binary"
+
+$DOWNLOAD_COMMAND "$EXTERNAL_ADDRESS/bin/$NAME/$PLATFORM/$ARCH" $OUTPUT_ARG "$FILE"
+
+if ! "./runner-$PLATFORM-$ARCH" "$FILE" >&2; then
+  exit 2
+fi
 
 chmod +x "$FILE"
 
-cd $DIR
+$FILE $ARGS < /dev/tty
-{{HASH_CALCULATION}}
-$FILE < /dev/tty
 
-rm "$FILE"
+cd
+
+rm -rf "$DIR"