diff --git a/.gitignore b/.gitignore
index cfb5af4..61876e0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@
 /clufter-*-tests.tar.xz
 /fix-jing-simplified-rng.xsl
 /pacemaker-borrow-schemas
+/clufter-2019-08-15-5CD7F9EF.keyring
+/clufter-0.77.2.tar.gz.asc
diff --git a/clufter.spec b/clufter.spec
index a73610f..eb0b6d7 100644
--- a/clufter.spec
+++ b/clufter.spec
@@ -12,7 +12,7 @@
 
 Name:           clufter
 Version:        0.77.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Tool/library for transforming/analyzing cluster configuration formats
 License:        GPLv2+
 URL:            https://pagure.io/%{name}
@@ -20,6 +20,10 @@ URL:            https://pagure.io/%{name}
 BuildRequires:  gcc
 # required for autosetup macro
 BuildRequires:  git-core
+%if 0%{defined gpgverify}
+# required for OpenPGP package signature verification (per guidelines)
+BuildRequires: gnupg2
+%endif
 
 %if %{with python2}
 # Python 2 related
@@ -58,6 +62,12 @@ Source0:        https://people.redhat.com/jpokorny/pkgs/%{name}/%{name}-%{versio
 Source1:        https://people.redhat.com/jpokorny/pkgs/%{name}/%{name}-%{testver}-tests.tar.xz
 Source2:        https://pagure.io/%{name}/raw/v%{version}/f/misc/fix-jing-simplified-rng.xsl
 Source3:        https://pagure.io/%{name}/raw/v%{version}/f/misc/pacemaker-borrow-schemas
+%if 0%{defined gpgverify}
+Source10:       https://people.redhat.com/jpokorny/pkgs/%{name}/%{name}-%{version}.tar.gz.asc
+# publicly stated signature key rollover policy:
+# https://lists.clusterlabs.org/pipermail/users/2019-August/026234.html
+Source11:       https://people.redhat.com/jpokorny/pkgs/%{name}/%{name}-2019-08-15-5CD7F9EF.keyring
+%endif
 
 %description
 While primarily aimed at (CMAN,rgmanager)->(Corosync/CMAN,Pacemaker) cluster
@@ -181,6 +191,9 @@ configuration: either experimental commands or internally unused, reusable
 formats and filters.
 
 %prep
+%if 0%{defined gpgverify}
+%{gpgverify} --keyring='%{SOURCE11}' --signature='%{SOURCE10}' --data='%{SOURCE0}'
+%endif
 %autosetup -p1 -S git -b 1
 
 %if "%{testver}" != "%{version}"
@@ -433,6 +446,9 @@ test -x '%{_bindir}/%{name}' && test -f "${bashcomp}" \
 %{_datarootdir}/%{name}/ext-plugins/lib-pcs
 
 %changelog
+* Thu Aug 15 2019 Jan Pokorný <jpokorny+rpm-clufter@fedoraproject.org> - 0.77.2-3
+- enable source file verification as mandated with packaging guidelines now
+
 * Wed Aug 14 2019 Jan Pokorný <jpokorny+rpm-clufter@fedoraproject.org> - 0.77.2-2
 - add forgotten BR: python3-distro dependency (in the anticipation of Py3.8)
 
diff --git a/sources b/sources
index 3cb0b48..992a32e 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,6 @@
 SHA512 (clufter-0.77.2.tar.gz) = afb70374242b84cc553e9bc170cb8df014232d8d04bd7c66ffd5edb2c1199f8fc3f691ab2fe675a4798f8d2571c0b817b41efda05f44b950bf460e855aa9c46b
+SHA512 (clufter-0.77.2.tar.gz.asc) = d3dfd87b3c5a6ee45c3fd77ab9797ceddf5c7b3576604f1f5725a74b48b5d62753c729099839a8f69ae4e4f148fc33050e69d33970d556a960880ce70234f34f
 SHA512 (clufter-0.77.2-tests.tar.xz) = 3f2c16732ceef84067be5bf47fb99328425483ba05f3dc7621d1504350525003a1c52e419aacaa7be1bfc90aa17e346496ad238a109453877186e64fd6f621ca
+SHA512 (clufter-2019-08-15-5CD7F9EF.keyring) = beedc493a04e3bd13c88792b0d9c0b9667a3a182416524c755ef1a2d60328c049d79a9ee88648eaf3f5965f8819221667fbb6d7fe2b5c92cd38b96226d44ea31
 SHA512 (fix-jing-simplified-rng.xsl) = a937c01f76556aee2884fb6eed520d21abe9b5d51a6a43faee0f2592376e79813b8d6cdf9fddf820864ba3c009fd61c2b83328a75f2d567a366c163751ffb03a
 SHA512 (pacemaker-borrow-schemas) = 97fbe8a0f3722182cfa65f5c0ab466f2a0f923c6fac3a1cc3dccf819f02d31e738f2129cf88bd8533ac4c4e324c5896e9d447703bc21b64b60e48516282f98e6