diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index aae3573..5fee56a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,11 +1,12 @@
 variables:
   DOCKER_TLS_CERTDIR: "/certs"
+  DOCKER_DRIVER: overlay2
 
 services:
-  - docker:20.10.0-dind
+  - docker:dind
 
 .build: &build
-  image: docker:20.10.0
+  image: docker:latest
   stage: build
   script:
     - docker login -u gitlab-ci-token -p "${CI_JOB_TOKEN}" "${CI_REGISTRY}"
@@ -15,6 +16,26 @@ services:
     - docker push "${CI_REGISTRY_IMAGE}/${NAME}:${CI_COMMIT_REF_SLUG}"
     - if [[ "${CI_COMMIT_REF_SLUG}" == "main" ]]; then docker tag "${CI_REGISTRY_IMAGE}/${NAME}:${CI_COMMIT_REF_SLUG}" "${CI_REGISTRY_IMAGE}/${NAME}:latest" && docker push "${CI_REGISTRY_IMAGE}/${NAME}:latest"; fi
 
+.docker-multiarch-image: &docker-multiarch-image
+  image: jdrouet/docker-with-buildx:stable
+  stage: build
+  tags: [docker-builder]
+  before_script: # per recommendations from https://github.com/docker/buildx/issues/495#issuecomment-754200673
+    - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+    - docker buildx create --name cibuilder --driver docker-container --use
+    - docker buildx inspect --bootstrap
+    - docker login -u gitlab-ci-token -p "${CI_JOB_TOKEN}" "${CI_REGISTRY}"
+    - export platform_sanatized=$(echo ${PLATFORM:6} | sed 's#/#-#g')
+  script:
+    - docker buildx build --platform "${PLATFORM}" -f "${DOCKERFILE}" -t "${CI_REGISTRY_IMAGE}/${NAME}:${CI_COMMIT_SHA:0:8}" -t "${CI_REGISTRY_IMAGE}/${NAME}-${platform_sanatized}:${CI_COMMIT_SHA:0:8}" -t "${CI_REGISTRY_IMAGE}/${NAME}:${CI_COMMIT_REF_SLUG}" -t "${CI_REGISTRY_IMAGE}/${NAME}-${platform_sanatized}:${CI_COMMIT_REF_SLUG}" --push .
+    - if [[ "${CI_COMMIT_REF_SLUG}" == "main" ]]; then docker buildx build --platform "${PLATFORM}" -f "${DOCKERFILE}" -t "${CI_REGISTRY_IMAGE}/${NAME}:latest" -t "${CI_REGISTRY_IMAGE}/${NAME}-${platform_sanatized}:latest" --push . ; fi
+  parallel:
+    matrix:
+      - PLATFORM:
+        - linux/amd64
+        - linux/arm64/v8
+        - linux/arm/v7
+
 signal-server:
   image: docker:20.10.0
   stage: build
@@ -30,6 +51,21 @@ signal-server:
     - echo "docker pull ${CI_REGISTRY_IMAGE}/signal-server:${VERSION}"
   allow_failure: true
 
+freebsd-cross-build:
+  image: docker:20.10.0
+  stage: build
+  script:
+    - apk add git
+    - git clone https://github.com/wezm/freebsd-cross-build.git
+    - cd freebsd-cross-build
+    - echo "RUN apt-get update && apt-get install -y git" >> Dockerfile
+    - VERSION=$(git rev-parse --short=8 HEAD)
+    - docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
+    - docker build -t ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${VERSION} .
+    - docker push ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${VERSION}
+    - if [[ "${CI_COMMIT_REF_SLUG}" == "main" ]]; then docker tag ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${VERSION} ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:latest && docker push ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:latest; fi
+    - echo "docker pull ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${VERSION}"
+
 test-helper:
   <<: *build
   variables:
@@ -37,16 +73,20 @@ test-helper:
     NAME: "test-helper"
   allow_failure: true
 
-builder-image:aarch64:
+signal-cross-builder:
   <<: *build
-  tags: [arm-docker-builder]
   variables:
-    DOCKERFILE: "signald-builder.Dockerfile"
-    NAME: "signald-builder-arm"
+    DOCKERFILE: "signald-cross-builder.Dockerfile"
+    NAME: "signald-cross-builder"
 
-builder-image-alpine:aarch64:
-  <<: *build
-  tags: [arm-docker-builder]
+builder-image-alpine:
+  <<: *docker-multiarch-image
   variables:
     DOCKERFILE: "signald-builder-alpine.Dockerfile"
     NAME: "signald-builder-alpine-arm"
+
+signald-builder:
+  <<: *docker-multiarch-image
+  variables:
+    DOCKERFILE: "signald-builder.Dockerfile"
+    NAME: "signald-builder"
\ No newline at end of file
diff --git a/apt-signing-key.asc b/apt-signing-key.asc
new file mode 100644
index 0000000..89484f7
--- /dev/null
+++ b/apt-signing-key.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFuazg4BCACuz8352FK7Z89KpFEam5u7Xh3OB1ZPxJvh+sHVgrZbNYalYPxW
+yHF0ULRPPsVHu02W5AM/O/qbMGEe0JbQvIxdCWAzGGL0fPgR3xn6hBGUDlCTQyDc
+keok6jWQsy9etqTTu1eyHaREJpLvKAGXN7Bk2pOIv3WSufYNLTgbdqBCk854n7/P
+dvQkU6OFBSU8XiG5UAx5n8mJcmt5JiWa4CEUoJN7IsLTI4YKd2pG4BmXTtfCEk5J
+BraPtNxwgRVdM9bWdBfYlftIK1JCPcc5WdN9ejgH0s43rbwRnT3nk5O/XQF3GtO9
+j5UxEu86Xa4zSlYVttL1rWmgdLiEVHzdbK/LABEBAAG0NUphbmt5IFNvbHV0aW9u
+cyBCdWlsZCBTZXJ2ZXIgPGJ1aWxkc0BqYW5reS5zb2x1dGlvbnM+iQFUBBMBCAA+
+AhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEE2J/7RSkSKaQQoUMKZZR1CB9m
+XykFAl76qqcFCQzF3hkACgkQZZR1CB9mXym7LggAl/DFBdMhsUxMvbXRWl2QixFT
+wLZnrkKZwX8Wpab0CRSbme+0vSDfx7t/y65KECQl/tIX2ifP9bjz4FKEMJ/GuDHS
+JPdf63EFr+09iGkouC+vPyQMBhY9NqzlZ5Zzt42kHYt0CPw3Kpl1eUyjyFYmhDY6
+zEK4K5EVXgu2Dj4ZBy3pmt6P/Gfdm33zGB4aw9mWNyQ0V0yUMbv77pLKhF8XulX+
+KbNNr9Osqdt8xi3LR06H8BwB6gvxudql62JSvQvO1kRlyQ4ZJwwx96rFHMqeuUzs
+faYCS9toSiWNytA5WBXr/QURRhJg8V/duR/PjTDgy4/YFO83syUhxAheXdkfE7kB
+DQRbms4OAQgAroyEoIpMtNogrWGzsq0twtMSJNnaR7+Bd1x54+M/O2HNzFBHpT/W
+4vYeSSWmfGnKx7E/SgjY3zM8wV/ahSHfVlGv5IpaEj5OsakJNO12UK+3Yike4tTy
+U7ONAA/pZtCRQz0PHkGoCZlOfSCU8Tr+RuAJE24j8EhMzbDOdUn7z18LpsBqfA5G
+f2CGcgCoI6o00GPqvKdx975sGuoRlQ0VNMQADMvRBrQnRddmF8fd+p1eWeQgUH7j
+LbpSBT4zKZwYL7JsTYuDeb+GvaTxnBtL8yTF2A7MYl5PooycvIHIJ8tSjy4U2T2e
+/nuFcKyC4hbwuuZMyC9qABgIsMs6DFYyswARAQABiQE8BBgBCAAmAhsMFiEE2J/7
+RSkSKaQQoUMKZZR1CB9mXykFAl2GavMFCQPM0GUACgkQZZR1CB9mXynD8wf/RV1H
+9Jo500QbA3T+Ao+lvAe5y89ydhxeJmPNu2snGrQuxz4FgCdVyIUtsq/pKIVD+SIY
+U/uXidoOtfBkh8vZ+YPiRjKuyV+d6p1Ke+mHwV6jRM/IyxNCxRJULyZh5VbOcFXN
+1ftH5GkLHEUeOtXu9URcYBHNBaIKYC0JxUQ9ce9F1bw3h3c0Tpl/+kFxVQ3hNKTp
+bSpnHwEXvjLwP0muW8Wy7nK2a+yZrXjBQDcoE2sx9oJaHtynWruVKmTzy214gUgS
+gyfRRGfne79N6ek6bcQQ9DBoSEslELEC/Ki/nwG9jChObt5Z9L6iRxXgD51DIaW0
+zWh8fxxloSY15g7/GA==
+=0oUH
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/signald-builder.Dockerfile b/signald-builder.Dockerfile
index 00beb9a..b5ae21d 100644
--- a/signald-builder.Dockerfile
+++ b/signald-builder.Dockerfile
@@ -1,4 +1,6 @@
 FROM debian:latest
+ADD apt-signing-key.asc /tmp/apt-signing-key.asc
+RUN for p in dpkg-split dpkg-deb tar rm; do ln -s /usr/bin/$p /usr/sbin/$p; done
 RUN apt-get update && apt-get install -y \
   gpg \
   dpkg-dev \
@@ -12,9 +14,14 @@ RUN apt-get update && apt-get install -y \
   git-buildpackage \
   gradle-debian-helper \
   jq \
+  aptly \
+  build-essential \
   && rm -rf /var/lib/apt/lists/*
-RUN adduser signald
+
 COPY deb-scripts/release-deb.sh /usr/bin/release-deb
 COPY deb-scripts/get-component.sh /usr/bin/get-component
 COPY deb-scripts/repo-cron.sh /usr/bin/repo-cron
+
+RUN adduser signald
 USER signald
+RUN gpg --no-default-keyring --keyring trustedkeys.gpg --import /tmp/apt-signing-key.asc
diff --git a/signald-cross-builder.Dockerfile b/signald-cross-builder.Dockerfile
new file mode 100644
index 0000000..f4907ed
--- /dev/null
+++ b/signald-cross-builder.Dockerfile
@@ -0,0 +1,29 @@
+FROM debian:latest
+RUN dpkg --add-architecture armhf && dpkg --add-architecture arm64
+ADD apt-signing-key.asc /tmp/apt-signing-key.asc
+RUN apt-get update && apt-get install -y \
+  gpg \
+  dpkg-dev \
+  apt-utils \
+  wget \
+  dh-make \
+  debhelper \
+  javahelper \
+  gradle \
+  default-jdk-headless \
+  git-buildpackage \
+  gradle-debian-helper \
+  jq \
+  aptly \
+  build-essential \
+  crossbuild-essential-armhf \
+  crossbuild-essential-arm64 \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY deb-scripts/release-deb.sh /usr/bin/release-deb
+COPY deb-scripts/get-component.sh /usr/bin/get-component
+COPY deb-scripts/repo-cron.sh /usr/bin/repo-cron
+
+RUN adduser signald
+USER signald
+RUN gpg --no-default-keyring --keyring trustedkeys.gpg --import /tmp/apt-signing-key.asc