diff --git a/.gitignore b/.gitignore
index 2a888b2..93aa862 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,5 +3,6 @@ clog
 *.bz2
 *.rpm
 *.orig
+*.sign
 kernel-[234].*/
 perf-man-*.tar.gz
diff --git a/scripts/stable-update.sh b/scripts/stable-update.sh
index eefd9a9..2ea5fb7 100755
--- a/scripts/stable-update.sh
+++ b/scripts/stable-update.sh
@@ -42,6 +42,21 @@ if [ ! -f patch-$1.xz ]; then
 	fi
 fi
 
+if [ ! -f "patch-$1.sign" ]; then
+        wget "https://cdn.kernel.org/pub/linux/kernel/v4.x/patch-$1.sign"
+        if [ ! $? -eq 0 ]; then
+                echo "Signature download failed"
+                exit 1
+        fi
+fi
+
+xzcat "patch-$1.xz" | gpg2 --verify "patch-$1.sign" -
+if [ ! $? -eq 0 ]; then
+        echo "Patch file has invalid or untrusted signature!"
+        echo "See https://www.kernel.org/category/signatures.html"
+        exit 1
+fi
+
 grep $1 sources &> /dev/null
 if [ ! $? -eq 0 ]; then
 	fedpkg upload patch-$1.xz