diff --git a/.gitignore b/.gitignore
index c7c58e3..4b892e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /clog
 /*.src.rpm
 /*.tar.gz
+/*.tar.gz.asc
diff --git a/borgbackup.spec b/borgbackup.spec
index 8a4b44a..0e55978 100644
--- a/borgbackup.spec
+++ b/borgbackup.spec
@@ -8,7 +8,7 @@
 
 Name:           %{srcname}
 Version:        1.1.10
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        A deduplicating backup program with compression and authenticated encryption
 
 %if %bundle_msgpack
@@ -19,12 +19,18 @@ License:        BSD and zlib
 
 URL:            https://borgbackup.readthedocs.org
 Source0:        %pypi_source
+Source1:        %pypi_source.asc
+# upstream publishes only key ids:
+#    https://borgbackup.readthedocs.io/en/stable/support.html#verifying-signed-releases
+# gpg2 --export --export-options export-minimal "6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393" > gpgkey-6D5B_EF9A_DD20_7580_5747_B70F_9F88_FB52_FAF7_B393.gpg
+Source2:        gpgkey-6D5B_EF9A_DD20_7580_5747_B70F_9F88_FB52_FAF7_B393.gpg
 
 # we don't need the guzzley_sphinx theme for only man page generation
 Patch1:         0002-disable-sphinx-man-page-build.patch
 # ability not to build bundled msgpack
 Patch2:         0003-ability-to-unbundle-msgpack.patch
 
+BuildRequires:  gnupg2
 # build
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
@@ -76,6 +82,7 @@ BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it
 supports compression and authenticated encryption.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
 rm -rf %{srcname}.egg-info
 
@@ -181,6 +188,9 @@ py.test-3 -x -vk "$TEST_SELECTOR" $PYTHONPATH/borg/testsuite/*.py
 
 
 %changelog
+* Thu Nov 28 2019 Felix Schwarz <fschwarz@fedoraproject.org> - 1.1.10-6
+- enable GPG source file verification
+
 * Mon Sep 23 2019 Felix Schwarz <fschwarz@fedoraproject.org> - 1.1.10-5
 - Rebuilt for libb2 0.98.1
 
diff --git a/gpgkey-6D5B_EF9A_DD20_7580_5747_B70F_9F88_FB52_FAF7_B393.gpg b/gpgkey-6D5B_EF9A_DD20_7580_5747_B70F_9F88_FB52_FAF7_B393.gpg
new file mode 100644
index 0000000..f94fb3b
Binary files /dev/null and b/gpgkey-6D5B_EF9A_DD20_7580_5747_B70F_9F88_FB52_FAF7_B393.gpg differ
diff --git a/sources b/sources
index 1216e34..1607059 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (borgbackup-1.1.10.tar.gz) = 9315335208f10427e3105e10819817d15fd05171479252903bd51eaacb016bc3ff792d505b9203ce0b9b41ec350472bdb9a23b0128e7fe156aaa47c1608451c0
+SHA512 (borgbackup-1.1.10.tar.gz.asc) = 608f90f485c05543e46e39aa11490baf064b436934262b40a2e77919ed64f7e4fa14bf3277ae3f8224b9cd8bcc00122639f2671d408972bb4bc164bd55cb3bbc