diff --git a/Makefile b/Makefile
index 8cf947435..ad7dfedcf 100644
--- a/Makefile
+++ b/Makefile
@@ -3,14 +3,14 @@
 OUTPUT ?= build/tenderdash
 BUILDDIR ?= $(CURDIR)/build
 REPO_NAME ?= github.com/dashevo/tenderdash
-BUILD_TAGS ?= tenderdash
+BUILD_TAGS ?= tenderdash,netgo,osusergo
 # If building a release, please checkout the version tag to get the correct version setting
 ifneq ($(shell git symbolic-ref -q --short HEAD),)
 VERSION := unreleased-$(shell git symbolic-ref -q --short HEAD)-$(shell git rev-parse HEAD)
 else
-VERSION := $(shell git describe)
+VERSION := $(shell git describe --tags)
 endif
-LD_FLAGS = -X ${REPO_NAME}/version.TMCoreSemVer=$(VERSION)
+LD_FLAGS = -X ${REPO_NAME}/version.TMCoreSemVer=$(VERSION) -linkmode 'external' -extldflags '-static'
 BUILD_FLAGS = -mod=readonly -ldflags "$(LD_FLAGS)"
 HTTPS_GIT := https://${REPO_NAME}.git
 BUILD_IMAGE := ghcr.io/tendermint/docker-build-proto
diff --git a/scripts/release/release.sh b/scripts/release/release.sh
index 2a9dbbd45..a4547b015 100755
--- a/scripts/release/release.sh
+++ b/scripts/release/release.sh
@@ -116,7 +116,7 @@ function configureFinal() {
     CURRENT_BRANCH="$(git branch --show-current)"
     SOURCE_BRANCH="v${VERSION_WITHOUT_PRERELEASE%.*}-dev"
     RELEASE_BRANCH="release_${NEW_PACKAGE_VERSION}"
-    MILESTONE="v${VERSION_WITHOUT_PRERELEASE}"
+    MILESTONE="v${VERSION_WITHOUT_PRERELEASE%.*}"
 
     if [[ ${RELEASE_TYPE} != "prerelease" ]]; then # full release
         TARGET_BRANCH="master"
@@ -235,7 +235,7 @@ function createRelease() {
         --generate-notes \
         --target "${TARGET_BRANCH}" \
         ${gh_args} \
-       "v${NEW_PACKAGE_VERSION}"
+        "v${NEW_PACKAGE_VERSION}"
 }
 
 function deleteRelease() {
@@ -251,6 +251,109 @@ function getReleaseUrl() {
     gh release view --json url --jq .url "v${NEW_PACKAGE_VERSION}"
 }
 
+function waitForRelease() {
+    debug 'Waiting for release to be published; use ^C to cancel'
+
+    while [[ "$(gh release view --json isDraft --jq .isDraft "v${NEW_PACKAGE_VERSION}")" != "false" ]]; do
+        sleep 10
+    done
+}
+
+function buildAndUploadArtifacts() {
+
+    bindir="$(mktemp -d)"
+    local platforms=("linux/amd64" "linux/arm64")
+
+    waitForRelease
+    # checkout and build binaries from release tag
+    # TODO: uncomment
+    # git fetch --tags && git checkout "v${NEW_PACKAGE_VERSION}"
+
+    buildBinaries "${bindir}" "${platforms[@]}"
+
+    # Sign binaries
+    signBinary "${bindir}"/tenderdash-*
+
+    # Create tarball
+    for platform in "${platforms[@]}"; do
+        local platform_safe="${platform//\//-}"
+
+        tar -C "${bindir}" \
+            -czf "${bindir}/tenderdash-${NEW_PACKAGE_VERSION}-${platform_safe}.tar.gz" \
+            "tenderdash-${platform_safe}" "tenderdash-${platform_safe}.sig"
+    done
+
+    sha256sum "${bindir}"/*.tar.gz >"${bindir}"/SHA256SUMS
+
+    # Upload to release
+    uploadBinaries "${bindir}"
+
+    # Cleanup
+    rm -r "${bindir}"
+}
+
+# buildBinaries <destdir> <platform1> <platform2> ...
+function buildBinaries() {
+    local dest_dir="$1"
+    shift
+    if [[ -z "${dest_dir}" ]]; then
+        error "Destination directory is required to build binaries"
+    fi
+
+    debug Building binaries
+    pushd "$(realpath "$(dirname "${0}")/../..")"
+
+    while [ -n "$1" ]; do
+        platform="$1"
+        shift
+
+        local platform_safe="${platform//\//-}"
+
+        debug "Building binaries for ${platform}"
+        make clean
+        docker buildx build \
+            --platform "${platform}" \
+            --build-arg TENDERMINT_BUILD_OPTIONS='tenderdash,stable' \
+            -f DOCKER/Dockerfile \
+            -t tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}" \
+            --load \
+            .
+        # Copy /usr/bin/tenderdash from image to dest_dir
+        docker create --name tenderdash-local-"${platform_safe}" --platform "${platform}" tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}"
+        docker cp tenderdash-local-"${platform_safe}":/usr/bin/tenderdash "${dest_dir}/tenderdash-${platform_safe}"
+        docker rm tenderdash-local-"${platform_safe}"
+        # Remove the image
+        docker rmi tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}"
+    done
+
+    popd
+}
+
+# Sign tenederdash binary using default gpg key
+#
+# The key can be overridden by setting GPG_KEY_ID environment variable
+#
+# Args: list of binaries to sign
+function signBinary() {
+
+    local gpg_cmd="gpg"
+    if [[ -n "${GPG_KEY_ID}" ]]; then
+        gpg_cmd="gpg --local-user=${GPG_KEY_ID}"
+    fi
+
+    for binary in "$@"; do
+        debug "Signing binaries with GPG ${gpg_cmd}"
+        $gpg_cmd --armor "--output=${binary}.sig" --detach-sign "${binary}"
+    done
+}
+
+function uploadBinaries() {
+    local bin_dir="$1"
+
+    debug uploading artifacts to release "v${NEW_PACKAGE_VERSION}"
+    gh release upload --clobber "v${NEW_PACKAGE_VERSION}" "${bin_dir}"/{*.tar.gz,SHA256SUMS}
+}
+
 function cleanup() {
     debug Cleaning up
 
@@ -260,6 +363,8 @@ function cleanup() {
 
     # We need to re-detect current branch again
     CURRENT_BRANCH="$(git branch --show-current)"
+
+    make clean
 }
 
 configureDefaults
@@ -283,11 +388,11 @@ success "Release PR: ${PR_URL}"
 
 success "Please review it and merge."
 
-if [[ "${RELEASE_TYPE}" = "prerelease" ]] ; then
+if [[ "${RELEASE_TYPE}" = "prerelease" ]]; then
     success "NOTE: Use 'squash and merge' approach."
-else 
+else
     success "NOTE: Use 'create merge commit' approach."
-fi 
+fi
 
 waitForMerge
 
@@ -300,3 +405,5 @@ sleep 5 # wait for the release to be finalized
 
 success "Release ${NEW_PACKAGE_VERSION} created successfully."
 success "Accept it at: $(getReleaseUrl)"
+
+buildAndUploadArtifacts