diff --git a/.gitignore b/.gitignore
index 7b5af79..c7f3961 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 time-1.7.tar.gz
 /time-1.8.tar.gz
 /time-1.9.tar.gz
+/time-1.9.tar.gz.sig
diff --git a/gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg b/gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg
new file mode 100644
index 0000000..c17e162
Binary files /dev/null and b/gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg differ
diff --git a/sources b/sources
index 970e510..3a8c01e 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (time-1.9.tar.gz) = 5c6dabbbe71e9103a47b892b86bb914c1704122d4fe7dff1e2cbd28503297163118d295077d8e062b035d673a1f91c36f8a45c7383f374fd766942b32bde4406
+SHA512 (time-1.9.tar.gz.sig) = cfcd147e237639144d9a37346ea3fce827544320faf8629d92ccea0b27b7c943de523ed54c50fdbafd4f9d77458954e335c0ea7a6462f157d12e6a5e5478beb0
diff --git a/time.spec b/time.spec
index 46db75d..32a0cac 100644
--- a/time.spec
+++ b/time.spec
@@ -40,7 +40,10 @@ Release:    13%{?dist}
 # tests/time-posix-quiet.sh:    GPLv3+
 License:    GPLv3+ and GFDL
 Url:        https://www.gnu.org/software/%{name}/
-Source:     https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
+Source0:    https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
+Source1:    https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz.sig
+# Obtained from a key server
+Source2:    gpgkey-F576AAAC1B0FF849792D8CB129A794FD2272BC86.gpg
 # Fix measuring time when a clock experiences a jump, bug #1004416,
 # <http://lists.gnu.org/archive/html/bug-gnu-utils/2013-09/msg00003.html>
 Patch0:     time-1.8-Prefer-clock_gettime-CLOCK_MONOTONIC.patch
@@ -58,6 +61,7 @@ BuildRequires:  automake
 BuildRequires:  bash
 BuildRequires:  coreutils
 BuildRequires:  gcc
+BuildRequires:  gnupg2
 BuildRequires:  make
 BuildRequires:  texinfo
 # Tests
@@ -69,6 +73,7 @@ the resources used by that program while it is running, and displays
 the results.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q
 %patch0 -p1
 %patch1 -p1
@@ -98,6 +103,7 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 %changelog
 * Wed Jan 13 2021 Petr Pisar <ppisar@redhat.com> - 1.9-13
 - Update URL and Source addresses (thanks to Robert Scheck)
+- Verify an upstream archive signature
 
 * Mon Nov 16 2020 Petr Pisar <ppisar@redhat.com> - 1.9-12
 - Fix a regression in closing a file descriptor if no --output was given