diff --git a/.gitignore b/.gitignore
index 410cff4..4bd7ec0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /clog
 /nbdkit-*.tar.gz
+/nbdkit-*.tar.gz.sig
diff --git a/libguestfs.keyring b/libguestfs.keyring
new file mode 100644
index 0000000..bb3eb55
Binary files /dev/null and b/libguestfs.keyring differ
diff --git a/nbdkit.spec b/nbdkit.spec
index 0cbbdd0..5b879ad 100644
--- a/nbdkit.spec
+++ b/nbdkit.spec
@@ -16,6 +16,9 @@
 %global have_python3 1
 %endif
 
+# If we should verify tarball signature with GPGv2.
+%global verify_tarball_signature 1
+
 Name:           nbdkit
 Version:        1.3.2
 Release:        1%{?dist}
@@ -25,6 +28,11 @@ License:        BSD
 URL:            https://github.com/libguestfs/nbdkit
 
 Source0:        http://libguestfs.org/download/nbdkit/%{name}-%{version}.tar.gz
+%if 0%{verify_tarball_signature}
+Source1:        http://libguestfs.org/download/nbdkit/%{name}-%{version}.tar.gz.sig
+# Keyring used to verify tarball signature.
+Source2:       libguestfs.keyring
+%endif
 
 %if 0%{?rhel} == 7
 # On RHEL 7, nothing in the virt stack is shipped on aarch64 and
@@ -60,6 +68,9 @@ BuildRequires:  python3-devel
 BuildRequires:  ocaml >= 4.02.2
 %endif
 BuildRequires:  ruby-devel
+%if 0%{verify_tarball_signature}
+BuildRequires: gnupg2
+%endif
 
 # Only for running the test suite:
 BuildRequires:  /usr/bin/certtool
@@ -393,6 +404,10 @@ plugins for %{name}.
 
 
 %prep
+%if 0%{verify_tarball_signature}
+tmphome="$(mktemp -d)"
+gpgv2 --homedir "$tmphome" --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+%endif
 %setup -q
 %autopatch -p1
 
@@ -666,6 +681,7 @@ popd
 - New upstream version 1.3.2.
 - Remove patches now upstream.
 - New ext2 plugin and subpackage, requires e2fsprogs-devel to build.
+- Enable tarball signatures.
 
 * Wed Jun  6 2018 Richard W.M. Jones <rjones@redhat.com> - 1.3.1-1
 - New upstream version 1.3.1.