diff --git a/.gitignore b/.gitignore
index 1563109..9faf207 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /x86_64/
 /*.src.rpm
 /qemu-*.tar.xz
+/qemu-*.tar.xz.sig
diff --git a/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg b/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg
new file mode 100644
index 0000000..a2590c0
Binary files /dev/null and b/gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg differ
diff --git a/qemu.spec b/qemu.spec
index b93dac5..f5b1f4f 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -367,7 +367,11 @@ Epoch: 2
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0
 URL: http://www.qemu.org/
 
-Source0: https://download.qemu.org/%{name}-%{version}%{?rcstr}.tar.xz
+%global dlurl https://download.qemu.org
+
+Source0: %{dlurl}/%{name}-%{version}%{?rcstr}.tar.xz
+Source1: %{dlurl}/https://download.qemu.org/%{name}-%{version}%{?rcstr}.tar.xz.sig
+Source2: gpgkey-CEACC9E15534EBABB82D3FA03353C9CEF108B584.gpg
 
 # https://patchwork.kernel.org/project/qemu-devel/patch/20231128143647.847668-1-crobinso@redhat.com/
 # Fix pvh.img ld build failure on fedora rawhide
@@ -388,6 +392,7 @@ Source30: kvm-s390x.conf
 Source31: kvm-x86.conf
 Source36: README.tests
 
+BuildRequires: gnupg2
 BuildRequires: meson >= %{meson_version}
 BuildRequires: bison
 BuildRequires: flex
@@ -1497,6 +1502,8 @@ This package provides the QEMU system emulator for Xtensa boards.
 
 
 %prep
+gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+
 %autosetup -n qemu-%{version}%{?rcstr} -S git_am
 
 %global qemu_kvm_build qemu_kvm_build
@@ -3128,6 +3135,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %changelog
 * Tue Jan  9 2024 Daniel P. Berrangé <berrange@redhat.com> - 8.2.0-1
 - Update to 8.2.0 release
+- Add gpg verification of source tarball
 
 * Sat Dec  9 2023 Richard W.M. Jones <rjones@redhat.com> - 2:8.2.0-0.3.rc2
 - Further fix for Xen 4.18
diff --git a/sources b/sources
index a38f0b3..ce81ee2 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (qemu-8.2.0.tar.xz) = 92ec41196ff145cdbb98948f6b6e43214fa4b4419554a8a1927fb4527080c8212ccb703e184baf8ee0bdfa50ad7a84689e8f5a69eba1bd7bbbdfd69e3b91256c
+SHA512 (qemu-8.2.0.tar.xz.sig) = 05412219ab0ff145f56708f99bc60b378b2b9ef6fbf3c48bffd32a2952188b2ee34a798949b09d6d8fc9f2483094fa0e3b488f52f69508604747ad4e2960f302