diff --git a/libgcrypt-1.4.4-use-fipscheck.patch b/libgcrypt-1.4.4-use-fipscheck.patch
new file mode 100644
index 0000000..aa7d7d1
--- /dev/null
+++ b/libgcrypt-1.4.4-use-fipscheck.patch
@@ -0,0 +1,74 @@
+diff -up libgcrypt-1.4.4/src/fips.c.use-fipscheck libgcrypt-1.4.4/src/fips.c
+--- libgcrypt-1.4.4/src/fips.c.use-fipscheck	2009-03-03 18:10:49.000000000 +0100
++++ libgcrypt-1.4.4/src/fips.c	2009-03-03 18:51:31.000000000 +0100
+@@ -570,23 +570,48 @@ run_random_selftests (void)
+   return !!err;
+ }
+ 
++static int
++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
++{
++    Dl_info info;
++    void *dl, *sym;
++    int rv = -1;
++
++        dl = dlopen(libname, RTLD_LAZY);
++        if (dl == NULL) {
++            return -1;
++        }       
++
++    sym = dlsym(dl, symbolname);
++
++    if (sym != NULL && dladdr(sym, &info)) {
++	strncpy(path, info.dli_fname, pathlen-1);
++	path[pathlen-1] = '\0';
++	rv = 0;
++    }
++
++    dlclose(dl);	
++    
++    return rv;
++}
++
+ /* Run an integrity check on the binary.  Returns 0 on success.  */
+ static int
+ check_binary_integrity (void)
+ {
+ #ifdef ENABLE_HMAC_BINARY_CHECK
+   gpg_error_t err;
+-  Dl_info info;
++  char libpath[4096];
+   unsigned char digest[32];
+   int dlen;
+   char *fname = NULL;
+-  const char key[] = "What am I, a doctor or a moonshuttle conductor?";
++  const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+   
+-  if (!dladdr ("gcry_check_version", &info))
++  if (get_library_path ("libgcrypt.so.11", "gcry_check_version", libpath, sizeof(libpath)))
+     err = gpg_error_from_syserror ();
+   else
+     {
+-      dlen = _gcry_hmac256_file (digest, sizeof digest, info.dli_fname,
++      dlen = _gcry_hmac256_file (digest, sizeof digest, libpath,
+                                  key, strlen (key));
+       if (dlen < 0)
+         err = gpg_error_from_syserror ();
+@@ -594,7 +619,7 @@ check_binary_integrity (void)
+         err = gpg_error (GPG_ERR_INTERNAL);
+       else
+         {
+-          fname = gcry_malloc (strlen (info.dli_fname) + 1 + 5 + 1 );
++          fname = gcry_malloc (strlen (libpath) + 1 + 5 + 1 );
+           if (!fname)
+             err = gpg_error_from_syserror ();
+           else
+@@ -603,7 +628,7 @@ check_binary_integrity (void)
+               char *p;
+ 
+               /* Prefix the basename with a dot.  */
+-              strcpy (fname, info.dli_fname);
++              strcpy (fname, libpath);
+               p = strrchr (fname, '/');
+               if (p)
+                 p++;
diff --git a/libgcrypt.spec b/libgcrypt.spec
index e78f5c8..0242a85 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.4.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 Source0: libgcrypt-%{version}-hobbled.tar.bz2
 # The original libgcrypt sources now contain potentially patented ECC
 # cipher support. We have to remove it in the tarball we ship with
@@ -10,12 +10,14 @@ Source0: libgcrypt-%{version}-hobbled.tar.bz2
 Source2: wk@g10code.com
 Source3: hobble-libgcrypt
 Patch1: libgcrypt-1.4.4-fips-no-access.patch
+Patch2: libgcrypt-1.4.4-use-fipscheck.patch
 
 # Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
 License: LGPLv2+
 Summary: A general-purpose cryptography library
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: gawk, libgpg-error-devel >= 1.4, pkgconfig
+BuildRequires: fipscheck
 Group: System Environment/Libraries
 
 %package devel
@@ -38,6 +40,7 @@ applications using libgcrypt.
 %setup -q
 %{SOURCE3}
 %patch1 -p1 -b .no-access
+%patch2 -p1 -b .use-fipscheck
 
 %build
 %configure --disable-static \
@@ -45,12 +48,22 @@ applications using libgcrypt.
      --disable-asm \
 %endif
      --enable-noexecstack \
+     --enable-hmac-binary-check \
      --enable-pubkey-ciphers='dsa elgamal rsa'
 make %{?_smp_mflags}
 
 %check
+fipshmac src/.libs/libgcrypt.so.??
 make check
 
+# Add generation of HMAC checksums of the final stripped binaries 
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    fipshmac $RPM_BUILD_ROOT/%{_lib}/*.so.?? \
+%{nil}
+
 %install
 rm -fr $RPM_BUILD_ROOT
 %makeinstall
@@ -117,8 +130,8 @@ exit 0
 %files
 %defattr(-,root,root)
 %dir /etc/gcrypt
-/%{_lib}/*.so.*
-#%{_libdir}/%{name}
+/%{_lib}/libgcrypt.so.*
+/%{_lib}/.libgcrypt.so.*.hmac
 
 %files devel
 %defattr(-,root,root)
@@ -128,11 +141,13 @@ exit 0
 %{_includedir}/*
 %{_libdir}/*.so
 %{_datadir}/aclocal/*
-#%{_datadir}/%{name}
 
 %{_infodir}/gcrypt.info*
 
 %changelog
+* Tue Mar  3 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-3
+- add hmac FIPS integrity verification check
+
 * Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild