replace goxc with release.sh
goxc is overkill for our purposes.
Note that you will need the developer private key in order to sign binaries. (Well, technically you can sign them with any key.)
Maybe siac
should include a command for verifying signed release binaries.