diff --git a/.gitignore b/.gitignore
index c4e3cdf..8cb53aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 /results_*
 /*.src.rpm
 
+/KEYS
 /apache-log4j-1.2.16.tar.gz
 /log4j-1.2.17.tar.gz
 /apache-log4j-2.0-rc1-src.tar.gz
@@ -24,3 +25,4 @@
 /apache-log4j-2.16.0-src.tar.gz
 /apache-log4j-2.17.0-src.tar.gz
 /apache-log4j-2.17.1-src.tar.gz
+/apache-log4j-2.17.1-src.tar.gz.asc
diff --git a/log4j.spec b/log4j.spec
index 3c43ae5..fe5cf79 100644
--- a/log4j.spec
+++ b/log4j.spec
@@ -2,16 +2,20 @@
 
 Name:           log4j
 Version:        2.17.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Java logging package
 BuildArch:      noarch
 License:        ASL 2.0
 
 URL:            https://logging.apache.org/%{name}
 Source0:        https://www.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz
+Source1:        https://www.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz.asc
+Source2:        https://www.apache.org/dist/logging/KEYS
 
 Patch2:         logging-log4j-Remove-unsupported-EventDataConverter.patch
 
+BuildRequires:  gnupg2
+
 BuildRequires:  maven-local
 BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-annotations)
 BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-core)
@@ -137,6 +141,7 @@ Obsoletes:      %{name}-manual < %{version}
 %{summary}.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q -n apache-%{name}-%{version}-src
 %autopatch -p1
 
@@ -284,6 +289,9 @@ rm -r log4j-1.2-api/src/main/java/org/apache/log4j/or/jms
 
 
 %changelog
+* Thu Jan 06 2022 Malcolm Inglis <miinglis@amazon.com> - 2.17.1-2
+- Enable GPG signature verification of sources
+
 * Tue Dec 28 2021 Paul Wouters <paul.wouters@aiven.io> - 2.17.1-1
 - Update log4j to 2.17.1 for CVE-2021-44832 RCE via JDBC Appender (when attacker controls config)
 
diff --git a/sources b/sources
index e09283e..2877306 100644
--- a/sources
+++ b/sources
@@ -1 +1,3 @@
 SHA512 (apache-log4j-2.17.1-src.tar.gz) = 21cdfca54eb0d6af261a5ae89ff98197473d9c0203b0ab530f3aef6c90957bfb95a423983c8a19d7fbab05ec194b6fad8e46628e32270dd8b94ddd194a1cb177
+SHA512 (apache-log4j-2.17.1-src.tar.gz.asc) = 49dd72d741ad669a2db9411bb20e6557d564b4c43873b27acc04cf8f50f9b8c43ddbce871e0a2c6abd79c9b58fa57f4ebcb38798e7965ec59641a7e07de3cdce
+SHA512 (KEYS) = c149ef131b44cc261b9efc30510ab40837cd1a26d3c1167cd21be6e3ed1d158de4537b399a09824695fcc6e5280ba73f28f39cdf739815f534c535fd1c42d886