diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index f92a0ea..545274d 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Release
+name: Create distribution
 
 on:
   push:
@@ -41,21 +41,13 @@ jobs:
         run: >-
           go generate ./...
 
-      - name: Build for Linux
-        run: >-
-          go build -v -ldflags '-s -w
-          -X git.ophivana.moe/security/fortify/internal.Version=${{ github.ref_name }}
-          -X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
-          -X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-          -X main.Fmain=/usr/bin/fortify
-          -X main.Fshim=/usr/libexec/fortify/fshim'
-          -o bin/ ./... &&
-          (cd bin && sha512sum --tag -b * > sha512sums)
+      - name: Build for release
+        run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh
 
       - name: Release
         id: use-go-action
         uses: https://gitea.com/actions/release-action@main
         with:
           files: |-
-            bin/**
+            dist/fortify-**
           api_key: '${{secrets.RELEASE_TOKEN}}'
diff --git a/.gitignore b/.gitignore
index d374fc7..307f987 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,7 @@ go.work.sum
 .vscode
 
 # go generate
-security-context-v1-protocol.*
\ No newline at end of file
+security-context-v1-protocol.*
+
+# release
+/dist/fortify-*
\ No newline at end of file
diff --git a/dist/fsurc.default b/dist/fsurc.default
new file mode 100644
index 0000000..f770d5e
--- /dev/null
+++ b/dist/fsurc.default
@@ -0,0 +1 @@
+1000 0
\ No newline at end of file
diff --git a/dist/install.sh b/dist/install.sh
new file mode 100755
index 0000000..71b00d0
--- /dev/null
+++ b/dist/install.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
+install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
+install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
+install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
+
+install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
+install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
diff --git a/dist/release.sh b/dist/release.sh
new file mode 100755
index 0000000..8505277
--- /dev/null
+++ b/dist/release.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -e
+cd "$(dirname -- "$0")/.."
+VERSION="${FORTIFY_VERSION:-untagged}"
+pname="fortify-${VERSION}"
+out="dist/${pname}"
+
+mkdir -p "${out}"
+cp "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
+
+go build -v -o "${out}/bin/" -ldflags "-s -w
+  -X git.ophivana.moe/security/fortify/internal.Version=${VERSION}
+  -X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
+  -X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
+  -X main.Fmain=/usr/bin/fortify
+  -X main.Fshim=/usr/libexec/fortify/fshim" ./...
+
+rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
+rm -rf "./${out}"
+sha512sum "${out}.tar.gz" > "${out}.tar.gz.sha512"
\ No newline at end of file