diff --git a/gnupg-2.3.3-disable-sha1.patch b/gnupg-2.3.3-disable-sha1.patch
new file mode 100644
index 0000000..6907ee8
--- /dev/null
+++ b/gnupg-2.3.3-disable-sha1.patch
@@ -0,0 +1,25 @@
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 84706ca6b..74946b0dd 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2573,6 +2573,7 @@ main (int argc, char **argv)
+ 
+     /* Set default options which require that malloc stuff is ready.  */
+     additional_weak_digest ("MD5");
++    additional_weak_digest ("SHA1");
+     parse_auto_key_locate (DEFAULT_AKL_LIST);
+ 
+     argc = orig_argc;
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index ceded4af9..277d3c8ca 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -205,6 +205,7 @@ main( int argc, char **argv )
+   dotlock_disable ();
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+   additional_weak_digest("MD5");
++  additional_weak_digest("SHA1");
+   gnupg_initialize_compliance (GNUPG_MODULE_NAME_GPG);
+ 
+   pargs.argc = &argc;
+
diff --git a/gnupg2.spec b/gnupg2.spec
index 8e0a1a7..90b5acc 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -31,6 +31,8 @@ Patch30: gnupg-2.2.21-coverity.patch
 Patch31: gnupg-2.3.1-revert-default-eddsa.patch
 # Revert default EdDSA key types
 Patch32: gnupg-2.3.3-CVE-2022-34903.patch
+# Mark SHA-1 weak algorithm to prevent its usage for verification
+Patch33: gnupg-2.3.3-disable-sha1.patch
 
 
 URL:     https://www.gnupg.org/
@@ -116,6 +118,7 @@ to the base GnuPG package
 %patch30 -p1 -b .coverity
 %patch31 -p1 -R -b .eddsa
 %patch32 -p1 -b .CVE-2022-34903
+%patch33 -p1 -b .sha1
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,