diff --git a/puppet/zulip/manifests/external_dep.pp b/puppet/zulip/manifests/external_dep.pp
index 597909c9c3..90ebae54cf 100644
--- a/puppet/zulip/manifests/external_dep.pp
+++ b/puppet/zulip/manifests/external_dep.pp
@@ -1,8 +1,9 @@
 define zulip::external_dep(
   String $version,
   String $url,
-  String $tarball_prefix,
+  String $tarball_prefix = '',
   String $sha256 = '',
+  String $mode = '0755',
 ) {
   if $sha256 == '' {
     if $zulip::common::versions[$title]['sha256'] =~ Hash {
@@ -19,25 +20,38 @@ define zulip::external_dep(
     $sha256_filled = $sha256
   }
 
-  $dir = "/srv/zulip-${title}-${version}"
+  $path = "/srv/zulip-${title}-${version}"
 
-  zulip::sha256_tarball_to { $title:
-    url          => $url,
-    sha256       => $sha256_filled,
-    install_from => $tarball_prefix,
-    install_to   => $dir,
+  if $tarball_prefix == '' {
+    zulip::sha256_file_to { $title:
+      url        => $url,
+      sha256     => $sha256_filled,
+      install_to => $path,
+      before     => File[$path],
+    }
+    file { $path:
+      ensure => file,
+      mode   => $mode,
+    }
+  } else {
+    zulip::sha256_tarball_to { $title:
+      url          => $url,
+      sha256       => $sha256_filled,
+      install_from => $tarball_prefix,
+      install_to   => $path,
+      before       => File[$path],
+    }
+    file { $path:
+      ensure => directory,
+    }
   }
 
-  file { $dir:
-    ensure  => present,
-    require => Zulip::Sha256_Tarball_To[$title],
-  }
 
   tidy { "/srv/zulip-${title}-*":
     path    => '/srv/',
     recurse => 1,
     rmdirs  => true,
     matches => "zulip-${title}-*",
-    require => File[$dir],
+    require => File[$path],
   }
 }
diff --git a/puppet/zulip/manifests/sha256_file_to.pp b/puppet/zulip/manifests/sha256_file_to.pp
new file mode 100644
index 0000000000..a95acb883f
--- /dev/null
+++ b/puppet/zulip/manifests/sha256_file_to.pp
@@ -0,0 +1,13 @@
+# @summary Downloads, verifies hash, and copies the one file out.
+#
+define zulip::sha256_file_to(
+  String $sha256,
+  String $url,
+  String $install_to,
+) {
+  exec { $url:
+    command => "${::zulip_scripts_path}/setup/sha256-file-to ${sha256} ${url} ${install_to}",
+    creates => $install_to,
+    timeout => 600,
+  }
+}
diff --git a/scripts/setup/sha256-file-to b/scripts/setup/sha256-file-to
new file mode 100755
index 0000000000..38a5632d57
--- /dev/null
+++ b/scripts/setup/sha256-file-to
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+if [ "$#" -ne 3 ]; then
+    echo "Usage:"
+    echo "  sha256-file-to SHA256 http://FETCH/FROM DST"
+    echo
+    echo "SHA256 is the sha256sum of the file fetched; the file is"
+    echo "placed in DST."
+    exit 1
+fi
+
+set -e
+set -x
+
+SHA256="$1"
+URL="$2"
+DST="$3"
+
+# Work in a tmpdir which we clean up at the end
+tmpdir="$(mktemp -d)"
+trap 'rm -r "$tmpdir"' EXIT
+cd "$tmpdir"
+
+# Fetch to a predictable name, not whatever curl guesses from the URL
+LOCALFILE="output"
+curl -fL --retry 3 -o "$LOCALFILE" "$URL"
+
+# Check the hash against what was passed in
+echo "$SHA256  $LOCALFILE" >"$LOCALFILE.sha256"
+sha256sum -c "$LOCALFILE.sha256"
+
+mv "$LOCALFILE" "$DST"