diff --git a/certbot.spec b/certbot.spec
index 83b0a85..8586e0b 100644
--- a/certbot.spec
+++ b/certbot.spec
@@ -15,12 +15,17 @@
 
 Name:           certbot
 Version:        0.39.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A free, automated certificate authority client
 
 License:        ASL 2.0
 URL:            https://pypi.python.org/pypi/certbot
 Source0:        %pypi_source
+Source1:        %pypi_source.asc
+# key mentioned in docs https://certbot.eff.org/docs/install.html#certbot-auto
+# gpg2 --keyserver pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
+# gpg2 --export --export-options export-minimal A2CFB51FA275A7286234E7B24D17C995CD9775F2 > gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
+Source2:        gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
 
 Source10:       certbot-renew-systemd.service
 Source11:       certbot-renew-systemd.timer
@@ -29,6 +34,7 @@ Source13:       certbot-README.fedora
 
 BuildArch:      noarch
 
+BuildRequires:  gnupg2
 %if %{with python2}
 BuildRequires:  python2-acme >= 0.29.0
 BuildRequires:  python2-configargparse
@@ -190,6 +196,7 @@ The python3 libraries to interface with certbot
 %endif
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -n %{name}-%{version} -p1
 
 
@@ -286,6 +293,9 @@ restorecon -R %{_sysconfdir}/letsencrypt || :
 %endif
 
 %changelog
+* Thu Nov 21 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.39.0-2
+- use GPG source file verification
+
 * Tue Oct 01 2019 Eli Young <elyscape@gmail.com> - 0.39.0-1
 - Update to 0.39.0 (#1757575)
 
diff --git a/gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg b/gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg
new file mode 100644
index 0000000..013feed
Binary files /dev/null and b/gpg-A2CFB51FA275A7286234E7B24D17C995CD9775F2.gpg differ
diff --git a/sources b/sources
index b8d0d2a..6f2582d 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 SHA512 (certbot-0.39.0.tar.gz) = 463083a7d5d086c823372e2e810c905aa13f1a24eb1d8fa55cdfc06b0ba9358d90f400ae5d1bb5d89e0a3137702719a552b6de1f75da0014ec9602897db372d3
+SHA512 (certbot-0.39.0.tar.gz.asc) = 5dbecc1e3084fa9eac6c01aaf26e569a19c602585d2b0e893f02aeb16dc48c2d57d099d0159fd4e1d00b99c3778724741b9f45fadf88762ae78c1613a2c8949d