The update-binary can be found in any upgrade.zip file in the location shown above; it is a parser for updater-script found in the same directory.
There is no signature checking in update-binary; recovery performs a signature check over the entire upgrade.zip file and anything inside is presumed safe. The upshot of this is that update-binary can be rebundled into a new zip file and updater-script for used with a custom recovery, or update-binary can be manually executed by the user on a custom zip file. This is useful since the update-binary often contains functions that would otherwise be difficult such as baseband upgrades.
update-binary <api> <pipefd> <zip>
The api is 3, the pipefd is the descriptor used by recovery, the zip file file is the zip file containing the updater-script to be executed. (The update-binary within the zip file is ignored)