diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 90e6f8b..fbacd18 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -78,6 +78,10 @@ jobs:
       run: |
         go build -trimpath -ldflags="-w -s" -v
 
+    - name: Output version
+      run: |
+        ${{ matrix.XCADDY_BIN_PATH }} version
+
     - name: Publish Build Artifact
       uses: actions/upload-artifact@v1
       with:
@@ -107,6 +111,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v2
+      - name: Create 'xcaddy-build'
+        run: mkdir -p xcaddy-build
       - uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f2e1f07..a711abe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,10 +22,19 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
 
-    # So GoReleaser can generate the changelog properly
-    - name: Unshallowify the repo clone
-      run: git fetch --prune --unshallow
+    # Force fetch upstream tags -- because 65 minutes
+    # tl;dr: actions/checkout@v2 runs this line:
+    #   git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
+    # which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
+    #   git fetch --prune --unshallow
+    # which doesn't overwrite that tag because that would be destructive.
+    # Credit to @francislavoie for the investigation.
+    # https://github.com/actions/checkout/issues/290#issuecomment-680260080
+    - name: Force fetch upstream tags
+      run: git fetch --tags --force
 
     # https://github.community/t5/GitHub-Actions/How-to-get-just-the-tag-name/m-p/32167/highlight/true#M1027
     - name: Print Go version and environment
@@ -61,6 +70,16 @@ jobs:
     - name: Install Cloudsmith CLI
       run: pip install --upgrade cloudsmith-cli
 
+    - name: Validate commits and tag signatures
+      run: |
+        
+        # Import Matt Holt's key
+        curl 'https://github.com/mholt.gpg' | gpg --import
+
+        echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
+        # tags are only accepted if signed by Matt's key
+        git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
+
     - name: Cache the build cache
       uses: actions/cache@v2
       with:
@@ -69,6 +88,10 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-go${{ matrix.go }}-release
 
+    - name: Create the 'caddy-build' dir for GoReleaser
+      run: |
+        mkdir -p xcaddy-build
+
     # GoReleaser will take care of publishing those artifacts into the release
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
diff --git a/.goreleaser.yml b/.goreleaser.yml
index aa81240..636cd74 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,5 +1,19 @@
 before:
   hooks:
+    # The build is done in this particular way to build xcaddy in a designated directory named in .gitignore.
+    # This is so we can run goreleaser on tag without Git complaining of being dirty. The main.go in cmd/xcaddy directory 
+    # cannot be built within that directory due to changes necessary for the build causing Git to be dirty, which
+    # subsequently causes gorleaser to refuse running.
+    - mkdir -p xcaddy-build
+    - cp cmd/xcaddy/main.go xcaddy-build/main.go
+    - cp ./go.mod xcaddy-build/go.mod
+    - sed -i.bkp 's|github.com/caddyserver/xcaddy|xcaddy|g' ./xcaddy-build/go.mod
+    # GoReleaser doesn't seem to offer {{.Tag}} at this stage, so we have to embed it into the env
+    # so we run: TAG=$(git describe --abbrev=0) goreleaser release --rm-dist --skip-publish --skip-validate
+    - go mod edit -require=github.com/caddyserver/xcaddy@{{.Env.TAG}} ./xcaddy-build/go.mod
+    # as of Go 1.16, `go` commands no longer automatically change go.{mod,sum}. We now have to explicitly
+    # run `go mod tidy`. The `/bin/sh -c '...'` is because goreleaser can't find cd in PATH without shell invocation.
+    - /bin/sh -c 'cd ./xcaddy-build && go mod tidy'
     - go mod download
 
 builds:
@@ -7,7 +21,7 @@ builds:
   - CGO_ENABLED=0
   - GO111MODULE=on
   main: main.go
-  dir: ./cmd/xcaddy
+  dir: ./xcaddy-build
   binary: xcaddy
   goos:
   - darwin
diff --git a/cmd/xcaddy/main.go b/cmd/xcaddy/main.go
new file mode 100644
index 0000000..86017ad
--- /dev/null
+++ b/cmd/xcaddy/main.go
@@ -0,0 +1,23 @@
+// Copyright 2020 Matthew Holt
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	xcaddycmd "github.com/caddyserver/xcaddy/cmd"
+)
+
+func main() {
+	xcaddycmd.Main()
+}