Verify upstream sources with GPG

This is now a recommended thing to do:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

Regardless if it adds actual security, it should prevent problems like this one:
https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/

python38.spec

@@ -159,6 +159,7 @@ BuildRequires: gdbm-devel
 BuildRequires: glibc-all-langpacks
 BuildRequires: glibc-devel
 BuildRequires: gmp-devel
+BuildRequires: gnupg2
 BuildRequires: libappstream-glib
 BuildRequires: libffi-devel
 BuildRequires: libnsl2-devel
@@ -209,7 +210,9 @@ BuildRequires: python%{pyshortver}
 # Source code and patches
 # =======================
 
-Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
+Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
+Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc
+Source2: %{url}static/files/pubkeys.txt
 
 # A simple script to check timestamps of bytecode files
 # Run in check section with Python that is currently being built
@@ -570,6 +573,7 @@ version once Python %{pybasever} is stable.
 # ======================================================
 
 %prep
+%gpgverify -k2 -s1 -d0
 %setup -q -n Python-%{upstream_version}
 # Remove all exe files to ensure we are not shipping prebuilt binaries
 # note that those are only used to create Microsoft Windows installers

sources

@@ -1 +1,2 @@
 SHA512 (Python-3.8.0.tar.xz) = 5f9bfcb3acdf592770a9d5abd2c32c68c55a49b92f958ded069e3ef31cf2d415e67112b4f6738fab237dc29e5c622298719946d2e9471e7e78e3a6bdf2fac1d1
+SHA512 (Python-3.8.0.tar.xz.asc) = 4741bcb9b79019f190fded565dd9851158911f1b0ba71f5972906c267ca6576ebfae7c1e649f8bd9fee6ce2cabb325ef1d85a28ab5962fc9275072d35229d06d