diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c1bd90e..417f96d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,61 +13,51 @@ name: release
 on:
   workflow_dispatch:
   push:
-    tags:
-      - 'v*'
+    tags: 'v*'
+
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    container: kraftkit.sh/myself-full:latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-
-      - name: Unshallow
-        run: git fetch --prune --unshallow
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
         with:
-          go-version: "1.20.2"
+          fetch-depth: 0
+          submodules: recursive
 
-      - name: Install dependencies
+      - name: Update packages
         run: |
-          sudo apt-get install -y libgit2-dev pkg-config 
+          apt-get install -y --no-install-recommends \
+            jq \
+            libgit2-dev
+
+      - name: Fetch all tags
+        run: |
+          git config --global --add safe.directory /__w/packer-plugin-unikraft/packer-plugin-unikraft
+          git fetch --force --tags
 
       - name: Describe plugin
         id: plugin_describe
         run: echo "::set-output name=api_version::$(go run . describe | jq -r '.api_version')"
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: "v1.4.1"
-
-      - name: Setup Cosign
-        run: |
-          echo "${COSIGN_KEY}" > "$GITHUB_WORKSPACE/cosign.key"
-        env:
-          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
-
-      # - name: Install packer-sdc
-      #   run: |
-      #     go mod tidy
-      #     make install-packer-sdc
-
-      # - name: Check with packer-sdc
-      #   run: |
-      #     go build -o packer-plugin-unikraft
-      #     packer-sdc plugin-check packer-plugin-unikraft
-        # env:
-        #   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
-        with:
-          version: latest
-          args: release --clean
+        run: |
+          goreleaser build \
+            --config .goreleaser.yml \
+            --skip-validate
+          goreleaser release \
+            --config .goreleaser.yml \
+            --clean --skip-validate \
+            --skip-sign
         env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           API_VERSION: ${{ steps.plugin_describe.outputs.api_version }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          SIGNORE_CLIENT_ID: ${{ secrets.SIGNORE_CLIENT_ID }}
+          SIGNORE_CLIENT_SECRET: ${{ secrets.SIGNORE_CLIENT_SECRET }}
+          SIGNORE_SIGNER: ${{ secrets.SIGNORE_SIGNER }}
+
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 58d955f..252313f 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,5 +1,5 @@
 env:
-  - CGO_ENABLED=0
+  - CGO_ENABLED=1
 before:
   hooks:
     # We strongly recommend running tests to catch any regression before release.
@@ -19,6 +19,9 @@ builds:
     mod_timestamp: '{{ .CommitTimestamp }}'
     flags:
       - -trimpath #removes all file system paths from the compiled executable
+    tags:
+      - static
+      - system_libgit2
     ldflags:
       - '-s -w -X {{ .ModulePath }}/version.Version={{.Version}} -X {{ .ModulePath }}/version.VersionPrerelease= '
     goos:
@@ -27,17 +30,22 @@ builds:
       - amd64
     binary: '{{ .ProjectName }}_v{{ .Version }}_{{ .Env.API_VERSION }}_{{ .Os }}_{{ .Arch }}'
   -
+    id: linux-builds
     mod_timestamp: '{{ .CommitTimestamp }}'
     flags:
       - -trimpath
+    tags:
+      - static
+      - system_libgit2
     ldflags:
       - '-s -w -X {{ .ModulePath }}/version.Version={{.Version}} -X {{ .ModulePath }}/version.VersionPrerelease= '
     goos:
-      - openbsd
-      - freebsd
       - linux
     goarch:
       - amd64
+    ignore:
+      - goos: linux
+        goarch: amd64
     binary: '{{ .ProjectName }}_v{{ .Version }}_{{ .Env.API_VERSION }}_{{ .Os }}_{{ .Arch }}'
 archives:
 - format: zip
@@ -48,20 +56,10 @@ checksum:
   name_template: '{{ .ProjectName }}_v{{ .Version }}_SHA256SUMS'
   algorithm: sha256
 signs:
-  - id: cosign
-    cmd: cosign
-    stdin: "{{ .Env.COSIGN_PASSWORD }}"
+  - cmd: signore
+    args: ["sign", "--dearmor", "--file", "${artifact}", "--out", "${signature}"]
     artifacts: checksum
-    args:
-      # if you are using this is in a GitHub action or some other automated pipeline, you
-      # need to pass the batch flag to indicate its not interactive.
-      - "--batch"
-      - "--local-user"
-      - "{{ .Env.GPG_FINGERPRINT }}"
-      - "--output"
-      - "${signature}"
-      - "--detach-sign"
-      - "${artifact}"
+    signature: ${artifact}.sig
 release:
   # If you want to manually examine the release before its live, uncomment this line:
   # draft: true
diff --git a/go.mod b/go.mod
index 9b320fd..9bc02e6 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,10 @@ require (
 	kraftkit.sh v0.5.1-48-gddb2e08
 )
 
-replace github.com/zclconf/go-cty => github.com/zclconf/go-cty v1.10.0
+replace (
+	github.com/zclconf/go-cty => github.com/zclconf/go-cty v1.10.0
+	github.com/libgit2/git2go/v31 => github.com/libgit2/git2go/v31 v31.7.9
+)
 
 require (
 	cloud.google.com/go v0.110.0 // indirect