diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index 30ffde52f..3f493bb4c 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -2,9 +2,13 @@ name: CLI
 
 on:
   push:
-    branches: [develop]
+    branches:
+      - develop
+      - master
   pull_request:
-    branches: [develop]
+    branches:
+      - develop
+      - master
 
 jobs:
   build:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000..d0054b417
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,49 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  tagged-release:
+    name: "Tagged Release"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install git ruby rpm -y
+      - name: Install fpm
+        run: gem install fpm || sudo gem install fpm
+      - name: Set up Go 1.15
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.15
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - name: Make release directory
+        run: mkdir dist
+      - name: Build deb and rpm
+        run: make deb-pkg rpm-pkg
+      - name: Move deb and rpm into release directory
+        run: mv *.deb *.rpm dist/
+      - name: Set RELEASE_VERSION
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+      - name: Build darwin binary
+        run: GOOS=darwin CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin go.mozilla.org/sops/v3/cmd/sops
+      - name: Build windows binary
+        run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops
+      - name: Copy already built linux binary
+        run: cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux
+      - name: Create release
+        uses: "mozilla/action-automatic-releases@latest"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          prerelease: true
+          files: |
+            dist/sops-${{ env.RELEASE_VERSION }}.windows
+            dist/sops-${{ env.RELEASE_VERSION }}.darwin
+            dist/sops-${{ env.RELEASE_VERSION }}.linux
+            dist/sops_${{ env.RELEASE_VERSION }}_amd64.deb
+            dist/sops_${{ env.RELEASE_VERSION }}-1.x86_64.rpm
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5a3049738..23e8034c4 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,15 @@
 Changelog
 =========
 
+3.7.1
+-----
+Changes:
+
+    * Security fix
+    * Add release workflow (#843)
+    * Fix issue where CI wouldn't run against master (#848)
+    * Trim extra whitespace around age keys (#846)
+
 3.7.0
 -----
 Features:
diff --git a/Dockerfile b/Dockerfile
index 2b19d13e0..8585f16c7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.14
+FROM golang:1.15
 
 COPY . /go/src/go.mozilla.org/sops
 WORKDIR /go/src/go.mozilla.org/sops
diff --git a/Makefile b/Makefile
index 81ae958ac..b20bda234 100644
--- a/Makefile
+++ b/Makefile
@@ -48,27 +48,28 @@ functional-tests-all:
 	$(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops
 	cd functional-tests && cargo test && cargo test -- --ignored
 
-deb-pkg: install
+deb-pkg: vendor
 	rm -rf tmppkg
 	mkdir -p tmppkg/usr/local/bin
-	cp $$GOPATH/bin/sops tmppkg/usr/local/bin/
+	GOOS=linux CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops
 	fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \
 		--description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \
-		-m "Julien Vehent <jvehent+sops@mozilla.com>" \
+		-m "AJ Bahnken <ajvb+sops@mozilla.com>" \
 		--url https://go.mozilla.org/sops \
 		--architecture x86_64 \
 		-v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \
 		-s dir -t deb .
 
-rpm-pkg: install
+rpm-pkg: vendor
 	rm -rf tmppkg
 	mkdir -p tmppkg/usr/local/bin
-	cp $$GOPATH/bin/sops tmppkg/usr/local/bin/
+	GOOS=linux CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops
 	fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \
 		--description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \
-		-m "Julien Vehent <jvehent+sops@mozilla.com>" \
+		-m "AJ Bahnken <ajvb+sops@mozilla.com>" \
 		--url https://go.mozilla.org/sops \
 		--architecture x86_64 \
+		--rpm-os linux \
 		-v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \
 		-s dir -t rpm .
 
diff --git a/age/keysource.go b/age/keysource.go
index c0b9c6561..941f422dc 100644
--- a/age/keysource.go
+++ b/age/keysource.go
@@ -179,6 +179,7 @@ func MasterKeysFromRecipients(commaSeparatedRecipients string) ([]*MasterKey, er
 
 // MasterKeyFromRecipient takes a Bech32-encoded public key and returns a new MasterKey.
 func MasterKeyFromRecipient(recipient string) (*MasterKey, error) {
+	recipient = strings.TrimSpace(recipient)
 	parsedRecipient, err := parseRecipient(recipient)
 
 	if err != nil {
diff --git a/age/keysource_test.go b/age/keysource_test.go
index 2a3bebdfd..35891b20f 100644
--- a/age/keysource_test.go
+++ b/age/keysource_test.go
@@ -20,6 +20,16 @@ func TestMasterKeysFromRecipientsEmpty(t *testing.T) {
 	assert.Equal(recipients, make([]*MasterKey, 0))
 }
 
+func TestMasterKeyFromRecipientWithLeadingAndTrailingSpaces(t *testing.T) {
+	assert := assert.New(t)
+
+	key, err := MasterKeyFromRecipient("  age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw  ")
+
+	assert.NoError(err)
+
+	assert.Equal(key.Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw")
+}
+
 func TestAge(t *testing.T) {
 	assert := assert.New(t)
 
diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go
index 2741319df..d1d5e6a75 100644
--- a/cmd/sops/edit.go
+++ b/cmd/sops/edit.go
@@ -6,8 +6,8 @@ import (
 	"os"
 
 	"crypto/md5"
+	exec "golang.org/x/sys/execabs"
 	"io"
-	"os/exec"
 	"strings"
 
 	"bufio"
diff --git a/go.mod b/go.mod
index 3799fb843..37784afcd 100644
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,7 @@ require (
 	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
 	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 // indirect
+	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43
 	google.golang.org/api v0.7.0
 	google.golang.org/grpc v1.27.0
 	google.golang.org/protobuf v1.25.0
diff --git a/version/version.go b/version/version.go
index cbcff60f0..4bd14cbb2 100644
--- a/version/version.go
+++ b/version/version.go
@@ -11,7 +11,7 @@ import (
 )
 
 // Version represents the value of the current semantic version
-const Version = "3.7.0"
+const Version = "3.7.1"
 
 // PrintVersion handles the version command for sops
 func PrintVersion(c *cli.Context) {