diff --git a/.gitignore b/.gitignore
index a2635bb..266fb17 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@
 /cryptography-2.7.tar.gz
 /cryptography-2.8.tar.gz
 /cryptography-2.9.tar.gz
+/cryptography-2.9.tar.gz.asc
diff --git a/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg b/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
new file mode 100644
index 0000000..dcae2d2
Binary files /dev/null and b/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg differ
diff --git a/python-cryptography.spec b/python-cryptography.spec
index d01a7f1..4e91e64 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -20,15 +20,22 @@
 
 Name:           python-%{srcname}
 Version:        2.9
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        PyCA's cryptography library
 
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
-Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
+Source0:        %{pypi_source}
+Source1:        %{pypi_source}.asc
+# key ids of upstream authors are published in the AUTHORS file:
+#    https://github.com/pyca/cryptography/blob/master/AUTHORS.rst
+# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98"
+# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
+Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 
 %if 0%{?with_python2}
 BuildRequires:  python2-cffi >= 1.7
@@ -108,6 +115,7 @@ recipes to Python developers.
 %endif
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1 -n %{srcname}-%{version}
 
 %build
@@ -162,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
+- add source file verification
+
 * Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
 - Update to 2.9 (#1820348)
 
diff --git a/sources b/sources
index 78d2a9a..1fc2f1e 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (cryptography-2.9.tar.gz) = 7db2846b901e42ddc4caa9851235e5a0894ef702d4c4692eb60fcae17bc4e7833782a8001679ea41b78f9273d7d68a4b85810248590e12ca33cfade3208e2849
+SHA512 (cryptography-2.9.tar.gz.asc) = 916a9b013e2f0760dfa965997c7cde0fbfde4b6a6c017325606a134ce8860c3db3a0b6820f79102612ab484105d74a03cd6d80eb494032a3ffb96e82a66b5b92