diff --git a/Makefile b/Makefile
index 87ddc17..90ebc0a 100644
--- a/Makefile
+++ b/Makefile
@@ -3,12 +3,37 @@ GIT_REF := $(shell git log -1 --format=%H)
 GIT_AUTHOR := $(shell git log -1 --format=%an)
 GIT_KEY := $(shell git log -1 --format=%GP)
 GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
+export
+
+## Use env vars from latest release when reproducing
+ifeq ($(REPRODUCE),"TRUE")
+    include dist/release.env
+    export
+endif
 
 .DEFAULT_GOAL :=
 .PHONY: default
 default: \
+	out/release.env \
+	out/manifest.txt \
 	out/airgap.iso
 
+## Primary targets
+
+out/airgap.iso: Containerfile $(shell git ls-files rootfs)
+	docker build \
+		--progress=plain \
+		--output type=local,dest=out \
+		--build-arg VERSION="$(or $(VERSION),"development")" \
+		--build-arg GIT_REF="$(GIT_REF)" \
+		--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
+		--build-arg GIT_KEY="$(GIT_KEY)" \
+		--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
+		-f Containerfile \
+		.
+
+## Development Targets
+
 .PHONY: vm
 vm: vm-bios
 
@@ -41,14 +66,59 @@ vm-efi: out/airgap.iso
 		-display gtk,show-menubar=off,zoom-to-fit=on \
 		-cdrom "out/airgap.iso"
 
-out/airgap.iso: Containerfile $(shell git ls-files rootfs)
-	docker build \
-		--progress=plain \
-		--output type=local,dest=out \
-		--build-arg VERSION="$(or $(VERSION),"development")" \
-		--build-arg GIT_REF="$(GIT_REF)" \
-		--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
-		--build-arg GIT_KEY="$(GIT_KEY)" \
-		--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
-		-f Containerfile \
-		.
+## Signing, Verification, and Release Targets
+
+.PHONY: clean
+clean:
+	rm -rf out
+
+.PHONY: release
+release: default
+	rm -rf dist/*
+	cp -R out/release.env out/airgap.iso out/manifest.txt dist/
+
+.PHONY: sign
+sign:
+	set -e; \
+	git config --get user.signingkey 2>&1 >/dev/null || { \
+		echo "Error: git user.signingkey is not defined"; \
+		exit 1; \
+	}; \
+	fingerprint=$$(\
+		git config --get user.signingkey \
+		| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
+	); \
+	gpg --armor \
+		--detach-sig  \
+		--output dist/manifest.$${fingerprint}.asc \
+		dist/manifest.txt
+
+.PHONY: verify
+verify: | dist/manifest.txt
+	set -e; \
+	for file in dist/manifest.*.asc; do \
+		echo "\nVerifying: $${file}\n"; \
+		gpg --verify $${file} dist/manifest.txt; \
+	done;
+
+.PHONY: reproduce
+reproduce: clean | out
+	$(MAKE)
+	diff -q out/manifest.txt dist/manifest.txt;
+
+out:
+	mkdir -p $@
+
+out/release.env: $(shell git ls-files)
+	echo 'VERSION=$(VERSION)'              > out/release.env
+	echo 'GIT_REF=$(GIT_REF)'             >> out/release.env
+	echo 'GIT_AUTHOR=$(GIT_AUTHOR)'       >> out/release.env
+	echo 'GIT_KEY=$(GIT_KEY)'             >> out/release.env
+	echo 'GIT_TIMESTAMP=$(GIT_TIMESTAMP)' >> out/release.env
+
+out/manifest.txt: out/airgap.iso out/release.env | out
+	openssl sha256 -r \
+		out/airgap.iso \
+		out/release.env \
+	| sed -e 's/ \*out\// /g' -e 's/ \.\// /g' \
+	> $@