diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000000..22557e5aa2
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,24 @@
+FROM golang:1.17-alpine AS build-env
+
+ENV CGO_ENABLED 0
+
+RUN apk add --no-cache make git ncurses
+
+WORKDIR /home/runner/work/gopass/gopass
+
+COPY go.mod .
+COPY go.sum .
+RUN go mod download
+
+COPY . .
+
+ARG golags_arg=""
+ENV GOFLAGS=$goflags_arg
+
+RUN make clean
+RUN make gopass
+
+FROM alpine:3.15
+RUN apk add --no-cache ca-certificates git gnupg
+COPY --from=build-env /home/runner/work/gopass/gopass/gopass /usr/local/bin/
+
diff --git a/Makefile b/Makefile
index a234a3c752..548fe8fbcd 100644
--- a/Makefile
+++ b/Makefile
@@ -11,13 +11,13 @@ ZSH_COMPLETION_OUTPUT     := zsh.completion
 CLIPHELPERS               ?= ""
 # Support reproducible builds by embedding date according to SOURCE_DATE_EPOCH if present
 DATE                      := $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" '+%FT%T%z' 2>/dev/null || date -u '+%FT%T%z')
-BUILDFLAGS_NOPIE          := -trimpath -ldflags="-s -w -X main.version=$(GOPASS_VERSION) -X main.commit=$(GOPASS_REVISION) -X main.date=$(DATE) $(CLIPHELPERS)" -gcflags="-trimpath=$(GOPATH)" -asmflags="-trimpath=$(GOPATH)"
+BUILDFLAGS_NOPIE          := -tags=netgo -trimpath -ldflags="-s -w -X main.version=$(GOPASS_VERSION) -X main.commit=$(GOPASS_REVISION) -X main.date=$(DATE) $(CLIPHELPERS)" -gcflags="-trimpath=$(GOPATH)" -asmflags="-trimpath=$(GOPATH)"
 BUILDFLAGS                ?= $(BUILDFLAGS_NOPIE) -buildmode=pie
 TESTFLAGS                 ?=
 PWD                       := $(shell pwd)
 PREFIX                    ?= $(GOPATH)
 BINDIR                    ?= $(PREFIX)/bin
-GO                        ?= GO111MODULE=on go
+GO                        ?= GO111MODULE=on CGO_ENABLED=0 go
 GOOS                      ?= $(shell $(GO) version | cut -d' ' -f4 | cut -d'/' -f1)
 GOARCH                    ?= $(shell $(GO) version | cut -d' ' -f4 | cut -d'/' -f2)
 TAGS                      ?= netgo
diff --git a/docs/releases.md b/docs/releases.md
index 1cbbdc8a2c..c24904c321 100644
--- a/docs/releases.md
+++ b/docs/releases.md
@@ -55,3 +55,14 @@ $ git tag -s vX.Y.Z
 $ git push origin vX.Y.Z
 ```
 
+### Reproducible Builds
+
+`gopass` supports [reproducible builds](https://reproducible-builds.org/). When
+building from git [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/)
+can be used to override the compile date, .e.g `SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)`.
+When building a release `goreleaser` will automatically use the exact timestamp
+of the last commit.
+
+Internal paths are stripped using `-trimpath` and appropriate `-ldflags` (e.g. 
+`-s`, `-w`). See the Makefile header for the exact set of flags.
+