diff --git a/debian/bin/genorig.py b/debian/bin/genorig.py
index c3a4eea26..59f31a8c0 100755
--- a/debian/bin/genorig.py
+++ b/debian/bin/genorig.py
@@ -69,6 +69,15 @@ class Main(object):
     def upstream_export(self, input_repo):
         self.log("Exporting %s from %s\n" % (self.tag, input_repo))
 
+        gpg_wrapper = os.path.join(os.getcwd(),
+                                   "debian/bin/git-tag-gpg-wrapper")
+        verify_proc = subprocess.Popen(['git',
+                                        '-c', 'gpg.program=%s' % gpg_wrapper,
+                                        'tag', '-v', self.tag],
+                                        cwd=input_repo)
+        if verify_proc.wait():
+            raise RuntimeError("GPG tag verification failed")
+
         archive_proc = subprocess.Popen(['git', 'archive', '--format=tar',
                                          '--prefix=%s/' % self.orig, self.tag],
                                         cwd=input_repo,
diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper
new file mode 100755
index 000000000..58e1750ee
--- /dev/null
+++ b/debian/bin/git-tag-gpg-wrapper
@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+# Instead of calling gpg, call gpgv and provide a local keyring
+
+debian_dir="$(readlink -f "$(dirname "$0")/..")"
+
+# Parse the expected options.  If the next two lines are combined, a
+# failure of getopt won't cause the script to exit.
+ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")"
+eval "set -- $ordered_args"
+gpgv_opts=()
+while true; do
+    case "$1" in
+	--status-fd)
+	    gpgv_opts+=(--status-fd $2)
+	    shift 2
+	    ;;
+	--keyid-format)
+	    # ignore
+	    shift 2
+	    ;;
+	--verify)
+	    # ignore
+	    shift 1
+	    ;;
+	--)
+	    shift 1
+	    break
+	    ;;
+    esac
+done
+
+exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
diff --git a/debian/changelog b/debian/changelog
index ec4575ea0..a2cffde39 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,7 @@ linux (4.9-1~exp1) UNRELEASED; urgency=medium
   * Use debhelper compatibility level 9
   * [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on
     incompatible mozjs
+  * genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
 
   [ Uwe Kleine-König ]
   * enable `perf data' support; patch by Sebastian Andrzej Siewior
diff --git a/debian/upstream/signing-key.pgp b/debian/upstream/signing-key.pgp
new file mode 100644
index 000000000..f8324867b
Binary files /dev/null and b/debian/upstream/signing-key.pgp differ