diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper
index 58e1750ee..9982b0140 100755
--- a/debian/bin/git-tag-gpg-wrapper
+++ b/debian/bin/git-tag-gpg-wrapper
@@ -30,4 +30,4 @@ while true; do
     esac
 done
 
-exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
+exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/${DEBIAN_KERNEL_KEYRING:-signing-key.pgp}" -- "$@"
diff --git a/debian/changelog b/debian/changelog
index feb3850fb..153220295 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -363,6 +363,7 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
   * [arm64] video/fbdev: Change FB from module to built-in
   * [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
   * fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
+  * [rt] genpatch.py: Verify tag and tarball signatures
 
   [ Salvatore Bonaccorso ]
   * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
diff --git a/debian/patches/features/all/rt/genpatch.py b/debian/patches/features/all/rt/genpatch.py
index 6253a4ece..eb3792d35 100755
--- a/debian/patches/features/all/rt/genpatch.py
+++ b/debian/patches/features/all/rt/genpatch.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-import errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
+import codecs, errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
 
 def main(source, version=None):
     patch_dir = 'debian/patches'
@@ -44,13 +44,25 @@ def main(source, version=None):
         if os.path.isdir(os.path.join(source, '.git')):
             # Export rebased branch from stable-rt git as patch series
             up_ver = re.sub(r'-rt\d+$', '', version)
-            args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
             env = os.environ.copy()
             env['GIT_DIR'] = os.path.join(source, '.git')
-            child = subprocess.Popen(args,
-                                     cwd=os.path.join(patch_dir, rt_patch_dir),
-                                     env=env, stdout=subprocess.PIPE)
-            with io.open(child.stdout.fileno(), encoding='utf-8') as pipe:
+            env['DEBIAN_KERNEL_KEYRING'] = 'rt-signing-key.pgp'
+
+            # Validate tag signature
+            gpg_wrapper = os.path.join(os.getcwd(),
+                                       "debian/bin/git-tag-gpg-wrapper")
+            verify_proc = subprocess.Popen(['git',
+                                            '-c', 'gpg.program=%s' % gpg_wrapper,
+                                            'tag', '-v', 'v%s-rebase' % version],
+                                           env=env)
+            if verify_proc.wait():
+                raise RuntimeError("GPG tag verification failed")
+
+            args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
+            format_proc = subprocess.Popen(args,
+                                           cwd=os.path.join(patch_dir, rt_patch_dir),
+                                           env=env, stdout=subprocess.PIPE)
+            with io.open(format_proc.stdout.fileno(), encoding='utf-8') as pipe:
                 for line in pipe:
                     name = line.strip('\n')
                     with open(os.path.join(patch_dir, rt_patch_dir, name)) as \
@@ -60,6 +72,7 @@ def main(source, version=None):
                         assert match
                         origin = 'https://git.kernel.org/cgit/linux/kernel/git/rt/linux-stable-rt.git/commit?id=%s' % match.group(1)
                         add_patch(name, source_patch, origin)
+
         else:
             # Get version and upstream version
             if version is None:
@@ -70,6 +83,22 @@ def main(source, version=None):
             assert match, 'could not parse version string'
             up_ver = match.group(1)
 
+            # Expect an accompanying signature, and validate it
+            source_sig = re.sub(r'.[gx]z$', '.sign', source)
+            unxz_proc = subprocess.Popen(['xzcat', source],
+                                         stdout=subprocess.PIPE)
+            verify_output = subprocess.check_output(
+                ['gpgv', '--status-fd', '1',
+                 '--keyring', 'debian/upstream/rt-signing-key.pgp',
+                 '--ignore-time-conflict', source_sig, '-'],
+                stdin=unxz_proc.stdout)
+            if unxz_proc.wait() or \
+               not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s',
+                             codecs.decode(verify_output),
+                             re.MULTILINE):
+                os.write(2, verify_output) # bytes not str!
+                raise RuntimeError("GPG signature verification failed")
+
             temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian')
             try:
                 # Unpack tarball
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index a61050820..f9b965374 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1 +1,2 @@
+debian/upstream/rt-signing-key.pgp
 debian/upstream/signing-key.pgp
diff --git a/debian/upstream/rt-signing-key.pgp b/debian/upstream/rt-signing-key.pgp
new file mode 100644
index 000000000..f55b064cf
Binary files /dev/null and b/debian/upstream/rt-signing-key.pgp differ