ivabus/binhost
1
0
Fork 0
mirror of https://github.com/ivabus/binhost synced 2025-06-08 08:10:33 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: ivabus:0.2.2
Branches Tags
ivabus:master
ivabus:0.3.4
ivabus:0.3.3
ivabus:0.3.1
ivabus:0.3.0
ivabus:0.2.2
ivabus:0.2.1
ivabus:0.2.0
ivabus:0.1.0
...
compare: ivabus:master
Branches Tags
ivabus:master
ivabus:0.3.4
ivabus:0.3.3
ivabus:0.3.1
ivabus:0.3.0
ivabus:0.2.2
ivabus:0.2.1
ivabus:0.2.0
ivabus:0.1.0

10 commits
0.2.2 ... master

Author SHA1 Message Date
Ivan Bushchik
33a0228c9c
0.3.4: bump release version 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-04-12 20:27:47 +03:00
Ivan Bushchik
d501843f06
Remove unused HASH_CALCULATION_SH static 
It was used in early stages of this project to provide sha256 feature
flag before 0.3.0.

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-03-17 18:17:58 +03:00
Ivan Bushchik
652196c247
0.3.3: Ununsafe binhost (server) and update deps 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-03-17 18:13:10 +03:00
Ivan Bushchik
debff608d2
Remove runner from workspace 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-21 20:15:36 +03:00
Ivan Bushchik
b082b645f0
web.sh: fixing shellcheck warnings 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-18 13:10:49 +03:00
Ivan Bushchik
beb4b46caf
web.sh: add alternative shasum command (perl) 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-18 10:14:23 +03:00
Ivan Bushchik
c31f86b104
0.3.2: display manifest hashsum on index 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-04 07:28:53 +03:00
Ivan Bushchik
bcb4fed2f4
0.3.1: ARGS for args and back to sh 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-03 22:31:40 +03:00
Ivan Bushchik
cae10cc45e
Fix missing "Request" 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-01 20:56:28 +03:00
Ivan Bushchik
0c6e251d1b
0.3.0: Full authenticity check 
Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
 2024-02-01 20:54:46 +03:00
8 changed files with 455 additions and 163 deletions
Show stats Expand all files Collapse all files

57
API.md Normal file
View file

@ -0,0 +1,57 @@
### Get list of binaries
#### Request
```http request
GET / HTTP/1.1
```
#### Example response
```
- hello (platforms: ["Linux-aarch64", "Darwin-arm64", "Darwin-x86_64"])
```
### Get script for specific binary (suitable for `curl | sh` syntax)
This script will determine platform and arch and download necessary binary (and check hashsum if `sha256sum` binary is present in `$PATH`).
#### Request
```http request
GET /<BIN> HTTP/1.1
```
### Get binary for specific platform
#### Request
```http request
GET /bin/<BIN>/<PLATFORM>/<ARCH> HTTP/1.1
```
### Get ed25519 signature
#### Request
```http request
GET /bin/<BIN>/<PLATFORM>/<ARCH>/sign HTTP/1.1
```
### Get manifest
Manifest is a file, that contains ED25519 public key and SHA256sums list
#### Request
```http request
GET /runner/manifest HTTP/1.1
```
### Get binary runner
#### Request
```http request
GET /runner/<runner> HTTP/1.1
```

19
Cargo.toml
View file

@ -1,17 +1,20 @@
[package]
name = "binhost"
version = "0.2.2"
version = "0.3.4"
edition = "2021"
license = "MIT"
repository = "https://github.com/ivabus/binhost"
description = "HTTP server to easily serve files"
[dependencies]
clap = { version = "4.4.11", features = ["derive"] }
clap = { version = "4.5.3", features = ["derive"] }
rocket = "0.5.0"
serde = { version = "1.0.193", features = ["derive"] }
sha2 = { version = "0.10.8", optional = true }
[features]
default = [ "sha256" ]
sha256 = [ "dep:sha2" ]
serde = { version = "1.0", features = ["derive"] }
sha2 = { version = "0.10" }
ed25519-compact = { version = "2.1.1", default-features = false, features = [
"random",
"self-verify",
"std",
] }
once_cell = "1.19"

72
README.md
View file

@ -1,6 +1,6 @@
# BinHost
> HTTP server to easily serve (prebuilt) binaries for any (UNIX-like) platform
> HTTP server to easily serve (prebuilt) binaries for any (UNIX-like) platform with authenticity check
## Installation
@ -33,55 +33,53 @@ bin
└── hello
```
#### Runners
Runner is a (necessary) subprogram, that checks ED25519 signature of a binary file and needs to be statically compiled for every platform, that could use binaries from `binhost` server.
Directory, passed to `binhost` `--runners-dir` option (defaults to `./runners`) should look like (for `Linux-x86_64`, `Linux-aarch64` and `Darwin-arm64` compiled runners)
```tree
runners
├── runner-Darwin-arm64
├── runner-Linux-aarch64
└── runner-Linux-x86_64
```
## Client usage
### Get available binaries
### Execute specific binary <bin> with manifest validity check
#### Request
Manifest validity check provides a fully-secured binary distribution chain.
```http request
GET / HTTP/1.1
```shell
curl ADDRESS:PORT/<bin> | KEY=... sh
```
#### Example response
`KEY` first few symbols from hex representation of SHA256 sum of manifest (printed to stdout on `binhost` startup).
```
- hello (platforms: ["Linux-aarch64", "Darwin-arm64", "Darwin-x86_64"])
Additional arguments are set with `ARGS` environment variable
Only this option should be considered as secure.
### Execute specific binary <bin> without validity check
```shell
curl ADDRESS:PORT/<bin> | sh
```
### Get script for specific binary (suitable for `curl | sh` syntax)
### Download and reuse script
This script will determine platform and arch and download necessary binary (and check hashsum if `sha256sum` binary is present in `$PATH`).
#### Request
```http request
GET /<BIN> HTTP/1.1
```shell
curl ADDRESS:PORT/<bin> -o script.sh
./script.sh # Execute preloaded bin configuration
BIN=<newbin> ./script.sh # Execute newbin (download)
BIN=<newbin> EXTERNAL_ADDRESS=<newaddress> ./script.sh # Execute newbin from newaddress
```
### Get binary for specific platform
### API
#### Request
```http request
GET /bin/<BIN>/<PLATFORM>/<ARCH> HTTP/1.1
```
### Get sha256 hash of binary for specific platform
Only with "sha256" feature (recalculates hash on each request, may be bad on large files or lots of requests)
#### Request
```http request
GET /bin/<BIN>/<PLATFORM>/<ARCH>/sha256 HTTP/1.1
```
#### Example response
```text
a5d1fba1c28b60038fb1008a3c482b4119070a537af86a05046dedbe8f85e18d hello
```
See full HTTP API in [API.md](./API.md)
## License

21
runner/Cargo.toml Normal file
View file

@ -0,0 +1,21 @@
[package]
name = "runner"
version = "0.3.4"
edition = "2021"
[dependencies]
libc = { version = "0.2.152", default-features = false }
ed25519-compact = { version = "2.0.6", default-features = false }
numtoa = "0.2.4"
# Reducing size as much as possible
[profile.release]
strip = true
opt-level = "s"
lto = "fat"
panic = "abort"
codegen-units = 1
[profile.dev]
# Doesn't build on my machine without
opt-level = 1

82
runner/src/main.rs Normal file
View file

@ -0,0 +1,82 @@
// SPDX-License-Identifier: MIT
// "Runner" is written in no_std Rust for the smaller executable size: ~49KiB (Darwin arm64)
#![no_main]
#![no_std]
use core::slice::from_raw_parts;
use ed25519_compact::{PublicKey, Signature};
use libc::{c_char, c_int, c_void, exit, open, printf, read, O_RDONLY};
// 1 KiB seems fine
const BUFFER_SIZE: usize = 1024;
const PUBKEY_LEN: usize = PublicKey::BYTES;
const SIGNATURE_LEN: usize = Signature::BYTES;
#[allow(clippy::missing_safety_doc)]
#[no_mangle]
pub unsafe extern "C" fn main(_argc: i32, _argv: *const *const c_char) -> i32 {
printf("Starting runner\n\0".as_bytes().as_ptr() as *const c_char);
let mut buff_public_key = [0_u8; PUBKEY_LEN];
read(
open("public_key\0".as_bytes().as_ptr() as *const c_char, O_RDONLY),
buff_public_key.as_mut_ptr() as *mut c_void,
PUBKEY_LEN,
);
let public_key = PublicKey::new(buff_public_key);
let mut signature = [0_u8; SIGNATURE_LEN];
read(
open("signature\0".as_bytes().as_ptr() as *const c_char, O_RDONLY),
signature.as_mut_ptr() as *mut c_void,
SIGNATURE_LEN,
);
let arg = from_raw_parts(_argv, _argc as usize)[1]; // Getting path to binary
let binary_fd = open(arg, O_RDONLY);
let mut buffer = [0u8; BUFFER_SIZE];
let mut state = public_key.verify_incremental(&Signature::new(signature)).unwrap();
loop {
let bytes_read: usize =
read(binary_fd, buffer.as_mut_ptr() as *mut c_void, BUFFER_SIZE) as usize;
state.absorb(&buffer[0..bytes_read]);
if bytes_read != BUFFER_SIZE {
break;
}
}
printf("Signature: \0".as_bytes().as_ptr() as *const c_char);
if state.verify().is_ok() {
printf("OK\n\0".as_bytes().as_ptr() as *const c_char);
} else {
printf("Bad\n\0".as_bytes().as_ptr() as *const c_char);
return 2;
}
0
}
#[panic_handler]
fn panic(info: &core::panic::PanicInfo) -> ! {
use numtoa::NumToA;
let mut buff = [0u8; 8];
unsafe {
printf("Panicked\0".as_bytes().as_ptr() as *const c_char);
if let Some(location) = info.location() {
printf(" at \0".as_bytes().as_ptr() as *const c_char);
location.line().numtoa(10, &mut buff).iter().for_each(|ch| {
libc::putchar(*ch as c_int);
});
printf(":\0".as_bytes().as_ptr() as *const c_char);
location.column().numtoa(10, &mut buff).iter().for_each(|ch| {
libc::putchar(*ch as c_int);
});
printf(" in \0".as_bytes().as_ptr() as *const c_char);
location.file().chars().for_each(|ch| {
libc::putchar(ch as c_int);
});
}
libc::putchar(b'\n' as c_int);
exit(3)
}
}

190
src/main.rs
View file

@ -1,45 +1,86 @@
mod structs;
use structs::*;
// SPDX-License-Identifier: MIT
use clap::Parser;
use rocket::figment::Figment;
use rocket::fs::NamedFile;
use std::collections::HashMap;
use std::time::Instant;
#![forbid(unsafe_code)]
#[macro_use]
extern crate rocket;
use std::collections::HashMap;
use std::time::Instant;
use clap::Parser;
use ed25519_compact::{KeyPair, Noise};
use once_cell::sync::Lazy;
use rocket::figment::Figment;
use rocket::fs::{FileServer, NamedFile};
use rocket::http::Status;
use rocket::response::content::RawText;
use rocket::tokio::sync::RwLock;
use sha2::digest::FixedOutput;
use sha2::Digest;
static mut BINS: Option<(HashMap<String, Bin>, Instant)> = None;
use structs::*;
mod structs;
static BINS: Lazy<RwLock<(HashMap<String, Bin>, Instant)>> =
Lazy::new(|| RwLock::new((get_bins(&Args::parse()), Instant::now())));
static KEYPAIR: Lazy<KeyPair> = Lazy::new(|| {
println!("Generating keypair");
let kp = KeyPair::generate();
println!(
"Keypair generated. Public key: {}",
kp.pk.iter().map(|x| format!("{:x}", x)).collect::<Vec<String>>().join("")
);
kp
});
static MANIFEST: Lazy<Vec<u8>> = Lazy::new(|| {
let args = Args::parse();
println!("Generating manifest");
let mut manifest: Vec<u8> = Vec::new();
let mut bin_pub_key: Vec<u8> = KEYPAIR.pk.to_vec();
manifest.append(&mut bin_pub_key);
let mut runners = 0;
for element in std::fs::read_dir(args.runners_dir).unwrap() {
let en = element.unwrap();
if en.path().is_file() {
let mut hasher = sha2::Sha256::new();
hasher.update(std::fs::read(en.path()).unwrap().as_slice());
let mut contents = Vec::from(
format!(
"{:x} {}\n",
hasher.finalize_fixed(),
en.path().file_name().unwrap().to_str().unwrap()
)
.as_bytes(),
);
runners += 1;
manifest.append(&mut contents);
}
}
let mut hasher = sha2::Sha256::new();
hasher.update(&manifest);
println!(
"Manifest generated with {} runners and SHA256: {:x}",
runners,
hasher.finalize_fixed()
);
manifest
});
static WEB_SH: &str = include_str!("../web.sh");
#[cfg(feature = "sha256")]
static HASH_CALCULATION_SH: &str = r#"
if ! which sha256sum > /dev/null; then
echo "No \`sha256sum\` command found, continuing without checking" 1>&2
else
echo ":: Checking hashsum" 1>&2
if ! ($DOWNLOAD_COMMAND {{EXTERNAL_ADDRESS}}/bin/$NAME/$(uname)/$(uname -m)/sha256 $OUTPUT_ARG - | sha256sum -c - > /dev/null); then
echo "sha256 is invalid" 1>&2
exit 255
fi
fi
"#;
#[cfg(not(feature = "sha256"))]
static HASH_CALCULATION_SH: &str = "";
async fn reload_bins(bins: (&mut HashMap<String, Bin>, &mut Instant), args: &Args) {
if (Instant::now() - *bins.1).as_secs() > args.refresh {
*bins.0 = get_bins(args).await;
*bins.1 = Instant::now();
async fn reload_bins(args: &Args) {
let (bins, time) = &mut *BINS.write().await;
if (Instant::now() - *time).as_secs() > args.refresh {
*bins = get_bins(args);
*time = Instant::now();
}
}
async fn get_bins(args: &Args) -> HashMap<String, Bin> {
fn get_bins(args: &Args) -> HashMap<String, Bin> {
let mut bins: HashMap<String, Bin> = HashMap::new();
std::fs::read_dir(&args.dir).unwrap().for_each(|entry| {
let en = entry.unwrap();
@ -77,9 +118,14 @@ fn format_platform_list(bin: &Bin) -> String {
async fn index() -> RawText<String> {
let args = Args::parse();
let mut ret = String::new();
unsafe {
if let Some((bins, time)) = &mut BINS {
reload_bins((bins, time), &args).await;
let mut hasher = sha2::Sha256::new();
hasher.update(&*MANIFEST);
ret.push_str(&format!("Manifest hashsum: {:x}\n", hasher.finalize_fixed()));
reload_bins(&args).await;
let (bins, _) = &*BINS.read().await;
if bins.is_empty() {
return RawText(String::from("No binaries found"));
}
@ -93,32 +139,42 @@ async fn index() -> RawText<String> {
.collect::<Vec<String>>()
))
}
}
}
RawText(ret)
}
#[get("/runner/manifest")]
async fn get_manifest<'a>() -> Vec<u8> {
let manifest = &*MANIFEST;
manifest.clone()
}
#[get("/<bin>")]
async fn get_script(bin: &str) -> ScriptResponse {
let args = Args::parse();
unsafe {
if let Some((bins, time)) = &mut BINS {
reload_bins((bins, time), &args).await;
return match bins.get(bin) {
reload_bins(&args).await;
let (bins, _) = &*BINS.read().await;
match bins.get(bin) {
None => ScriptResponse::Status(Status::NotFound),
Some(bin) => {
let mut script = String::from(WEB_SH);
script = script
.replace("{{HASH_CALCULATION}}", HASH_CALCULATION_SH)
.replace("{{NAME}}", &bin.name)
.replace("{{PLATFORM_LIST}}", &format_platform_list(bin))
.replace("{{EXTERNAL_ADDRESS}}", &args.url);
ScriptResponse::Text(RawText(script))
}
};
}
}
#[get("/<bin>/platforms")]
async fn get_platforms(bin: &str) -> ScriptResponse {
let args = Args::parse();
reload_bins(&args).await;
let (bins, _) = &*BINS.read().await;
match bins.get(bin) {
None => ScriptResponse::Status(Status::NotFound),
Some(bin) => ScriptResponse::Text(RawText(format_platform_list(bin))),
}
ScriptResponse::Status(Status::NotFound)
}
#[get("/bin/<bin>/<platform>/<arch>")]
@ -139,44 +195,22 @@ async fn get_binary(bin: &str, platform: &str, arch: &str) -> BinaryResponse {
}
}
#[cfg(feature = "sha256")]
#[get("/bin/<bin>/<platform>/<arch>/sha256")]
async fn get_binary_hash(bin: &str, platform: &str, arch: &str) -> ScriptResponse {
use rocket::tokio::io::AsyncReadExt;
use sha2::digest::FixedOutput;
use sha2::Digest;
#[get("/bin/<bin>/<platform>/<arch>/sign")]
async fn get_binary_sign(bin: &str, platform: &str, arch: &str) -> SignResponse {
let args = Args::parse();
let file = NamedFile::open(format!(
let file = match std::fs::read(format!(
"{}/{}/{}/{}/{}",
args.dir.file_name().unwrap().to_str().unwrap(),
bin,
platform,
arch,
bin
))
.await;
match file {
Ok(mut f) => {
let mut hasher = sha2::Sha256::new();
let mut contents: Vec<u8> = vec![];
f.read_to_end(&mut contents).await.unwrap();
hasher.update(contents);
ScriptResponse::Text(RawText(format!(
"{:x} {}",
hasher.finalize_fixed(),
f.path().file_name().unwrap().to_str().unwrap()
)))
}
Err(_) => ScriptResponse::Status(Status::BadRequest),
}
}
#[cfg(not(feature = "sha256"))]
#[get("/bin/<_bin>/<_platform>/<_arch>/sha256")]
async fn get_binary_hash(_bin: &str, _platform: &str, _arch: &str) -> ScriptResponse {
ScriptResponse::Status(Status::BadRequest)
)) {
Ok(f) => f,
Err(_) => return SignResponse::Status(Status::BadRequest),
};
let keypair = &*KEYPAIR;
SignResponse::Bin(keypair.sk.sign(file.as_slice(), Some(Noise::generate())).as_slice().to_vec())
}
#[launch]
async fn rocket() -> _ {
@ -186,13 +220,17 @@ async fn rocket() -> _ {
std::process::exit(1);
}
unsafe {
BINS = Some((get_bins(&args).await, Instant::now()));
}
let _ = &*BINS.read().await;
let _ = &*MANIFEST;
let figment = Figment::from(rocket::Config::default())
.merge(("ident", "BinHost"))
.merge(("ident", "Binhost"))
.merge(("port", args.port))
.merge(("address", args.address));
rocket::custom(figment).mount("/", routes![index, get_script, get_binary, get_binary_hash])
rocket::custom(figment)
.mount(
"/",
routes![index, get_manifest, get_script, get_platforms, get_binary, get_binary_sign],
)
.mount("/runner", FileServer::from("runners"))
}

10
src/structs.rs
View file

@ -12,6 +12,10 @@ pub struct Args {
#[arg(long, default_value = "bin")]
pub dir: PathBuf,
/// Directory where runners are contained
#[arg(long, default_value = "runners")]
pub runners_dir: PathBuf,
/// Refresh time (in secs)
#[arg(long, default_value = "300")]
pub refresh: u64,
@ -52,3 +56,9 @@ pub enum BinaryResponse {
Status(Status),
Bin(NamedFile),
}
#[derive(Responder, Clone)]
pub enum SignResponse {
Status(Status),
Bin(Vec<u8>),
}

125
web.sh Normal file → Executable file
View file

@ -1,44 +1,127 @@
#!/bin/sh
# SPDX-License-Identifier: MIT
set -e -o pipefail
set -e
NAME="{{NAME}}"
print() {
echo "$@" >&2
}
if ! uname > /dev/null; then
echo "No \`uname\` command was found, cannot continue" 1>&2
fail() {
print "$@"
exit 1
}
requireCommands() {
for cmd in "$@"; do
if ! command -v "$cmd" > /dev/null 2>&1; then
fail "Cannot find required command: $cmd"
fi
done
}
requireCommands uname cut dd chmod rm realpath expr
# Finding alternative, but supported sha256sums
SHA256SUM=""
SHASUMFLAGS=""
PLATFORM="$(uname)"
ARCH="$(uname -m)"
if command -v sha256sum > /dev/null 2>&1; then
SHA256SUM="sha256sum"
SHASUMFLAGS="-c hashes --ignore-missing"
else
if command -v sha256 > /dev/null 2>&1; then
SHA256SUM="sha256"
SHASUMFLAGS="-C hashes runner-$PLATFORM-$ARCH"
fi
if command -v shasum > /dev/null 2>&1; then
SHASUMVER=$(shasum -v | cut -c 1)
if [ "$SHASUMVER" -ge 6 ]; then
SHA256SUM="shasum -a 256"
SHASUMFLAGS="-c hashes --ignore-missing"
fi
fi
fi
if ! expr "{{PLATFORM_LIST}}" : "\(.*$(uname)-$(uname -m).*\)" > /dev/null; then
echo Platform $(uname)-$(uname -m) is not supported 1>&2
exit 1
if [ SHA256SUM = "" ]; then
fail "Could not find suitable sha256sum executable"
fi
if [ "$(realpath "$SHA256SUM" 2> /dev/null)" = "/bin/busybox" ]; then
fail "Busybox sha256sum detected, will not work. Refusing to continue"
fi
# Script could be used for any binary
NAME=${BIN:="{{NAME}}"}
EXTERNAL_ADDRESS=${EXTERNAL_ADDRESS:="{{EXTERNAL_ADDRESS}}"}
DOWNLOAD_COMMAND="curl"
OUTPUT_ARG="-o"
DIR="/tmp/binhost-$NAME-$(date +%s)"
FILE="$DIR/$NAME"
if ! which curl > /dev/null; then
if ! which wget > /dev/null; then
echo "No curl or wget found, install one and rerun the script" 1>&2
exit 1
if ! command -v curl > /dev/null 2>&1; then
if ! command -v wget > /dev/null 2>&1; then
fail "No curl or wget found, install one and rerun the script"
fi
export DOWNLOAD_COMMAND="wget"
export OUTPUT_ARG="-O"
DOWNLOAD_COMMAND="wget"
OUTPUT_ARG="-O"
fi
mkdir $DIR
PLATFORM_LIST="{{PLATFORM_LIST}}"
# Making script truly portable
if [ ! "{{NAME}}" = $NAME ]; then
print ":: Fetching platforms"
PLATFORM_LIST=$($DOWNLOAD_COMMAND $EXTERNAL_ADDRESS/$NAME/platforms $OUTPUT_ARG /dev/stdout)
fi
echo ":: Downloading binary" 1>&2
if ! expr "$PLATFORM_LIST" : "\(.*$(uname)-$(uname -m).*\)" > /dev/null; then
fail "Platform \"$(uname)-$(uname -m)\" is not supported"
fi
# shellcheck disable=SC1083
$DOWNLOAD_COMMAND {{EXTERNAL_ADDRESS}}/bin/$NAME/$(uname)/$(uname -m) $OUTPUT_ARG "$FILE"
mkdir "$DIR"
cd "$DIR"
print ":: Downloading manifest"
$DOWNLOAD_COMMAND $EXTERNAL_ADDRESS/runner/manifest $OUTPUT_ARG manifest
MANIFEST_HASHSUM=$(cat manifest | $SHA256SUM)
if [ -n "$KEY" ]; then
if [ ! "$KEY" = "$(echo "$MANIFEST_HASHSUM" | cut -c 1-${#KEY})" ]; then
fail "Invalid manifest hashsum"
fi
else
print "Manifest KEY missing, skipping manifest check"
fi
print ":: Downloading signature"
$DOWNLOAD_COMMAND "$EXTERNAL_ADDRESS/bin/$NAME/$PLATFORM/$ARCH/sign" $OUTPUT_ARG signature
dd if=manifest of=public_key count=32 bs=1 2> /dev/null
dd if=manifest of=hashes skip=32 bs=1 2> /dev/null
print ":: Downloading runner"
$DOWNLOAD_COMMAND "$EXTERNAL_ADDRESS/runner/runner-$PLATFORM-$ARCH" $OUTPUT_ARG "runner-$PLATFORM-$ARCH"
if ! $SHA256SUM $SHASUMFLAGS >&2 ; then
fail "Incorrect hashsum of runner"
fi
chmod +x "runner-$PLATFORM-$ARCH"
print ":: Downloading binary"
$DOWNLOAD_COMMAND "$EXTERNAL_ADDRESS/bin/$NAME/$PLATFORM/$ARCH" $OUTPUT_ARG "$FILE"
if ! "./runner-$PLATFORM-$ARCH" "$FILE" >&2; then
exit 2
fi
chmod +x "$FILE"
cd $DIR
{{HASH_CALCULATION}}
$FILE < /dev/tty
$FILE $ARGS < /dev/tty
rm "$FILE"
cd
rm -rf "$DIR"