diff --git a/Dockerfile b/Dockerfile
index cb001c8..28d9f9b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,5 +2,6 @@ FROM alpine:3.21
 RUN apk add --no-cache tzdata ca-certificates curl
 WORKDIR /
 COPY gmc gmc
+COPY --chmod=444 binary-checksum /binary-checksum
 USER nobody
 ENTRYPOINT ["/gmc"]
diff --git a/Makefile b/Makefile
index 20b4e16..ce59997 100644
--- a/Makefile
+++ b/Makefile
@@ -1,12 +1,13 @@
 .PHONY:	test imports
 SHELL := /bin/bash
 
-VERSION?=0.0.1-local
+VERSION?=$(shell git rev-parse HEAD )
 
 IMAGE = quay.io/fortnox/gitmachinecontroller
 
 build:
-	CGO_ENABLED=0 GOOS=linux go build -o gmc ./cmd/gmc
+	CGO_ENABLED=0 GOOS=linux go build -ldflags "-X main.BuildTime=$(shell date +%FT%T%z) -X main.Version=${VERSION} -X main.BuildCommit=$(shell git rev-parse HEAD)" -o gmc ./cmd/gmc
+	sha256sum gmc | awk '{print $$1}' > binary-checksum
 
 docker: build
 	docker build --pull --rm -t $(IMAGE):$(VERSION) .
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
index 8f7005a..716d205 100644
--- a/e2e/e2e_test.go
+++ b/e2e/e2e_test.go
@@ -293,7 +293,7 @@ spec:
 	logrus.SetOutput(buf)
 	a := admin.NewAdmin("./adminConfig", "", "", admin.WithTLSConfig(trustCert("./cert.pem")))
 	err = a.Exec(context.TODO(), "uptime")
-	assert.Equal(t, "websocket: bad handshake", err.Error())
+	assert.Equal(t, "websocket: error status 401 Unauthorized", err.Error())
 
 	assert.Contains(t, buf.String(), "http_request_status=401")
 	cancel()
diff --git a/pkg/admin/bootstrap.go b/pkg/admin/bootstrap.go
index 69b82f2..949b4c5 100644
--- a/pkg/admin/bootstrap.go
+++ b/pkg/admin/bootstrap.go
@@ -21,7 +21,7 @@ func (a *Admin) Bootstrap(ctx context.Context, hosts []string) error {
 		return err
 	}
 
-	binaryPath, err := getSelfLocation()
+	binaryPath, err := GetSelfLocation()
 	if err != nil {
 		return err
 	}
@@ -206,7 +206,7 @@ func copyFileToServer(client *ssh.Client, src, dst string) error {
 
 	return session.Wait()
 }
-func getSelfLocation() (string, error) {
+func GetSelfLocation() (string, error) {
 	fname, err := exec.LookPath(os.Args[0])
 	if err != nil {
 		return "", err
diff --git a/pkg/master/webserver/webserver.go b/pkg/master/webserver/webserver.go
index 3601fc0..73a62c4 100644
--- a/pkg/master/webserver/webserver.go
+++ b/pkg/master/webserver/webserver.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/fortnoxab/ginprometheus"
+	"github.com/fortnoxab/gitmachinecontroller/pkg/admin"
 	"github.com/fortnoxab/gitmachinecontroller/pkg/agent/config"
 	"github.com/fortnoxab/gitmachinecontroller/pkg/api/v1/protocol"
 	"github.com/fortnoxab/gitmachinecontroller/pkg/api/v1/types"
@@ -79,6 +80,35 @@ func (ws *Webserver) InitTLS() *gin.Engine {
 		fmt.Fprintf(c.Writer, `<a href="/machines">Machines</a>`)
 	})
 	router.GET("/api/up-v1", err(ws.listMasters))
+	router.GET("/api/download-v1", err(func(c *gin.Context) error {
+		binaryPath, err := admin.GetSelfLocation()
+		if err != nil {
+			return err
+		}
+
+		f, err := os.Open(binaryPath)
+		if err != nil {
+			return err
+		}
+
+		defer f.Close()
+
+		_, err = io.Copy(c.Writer, f)
+		return err
+
+	}))
+	router.GET("/api/binary-checksum-v1", err(func(c *gin.Context) error {
+		f, err := os.Open("/binary-checksum")
+		if err != nil {
+			return err
+		}
+
+		defer f.Close()
+
+		_, err = io.Copy(c.Writer, f)
+		return err
+
+	}))
 	router.POST("/api/admin-v1", err(ws.createAdmin))
 
 	requireAdmin := router.Group("/")