diff --git a/roles/aurweb/defaults/main.yml b/roles/aurweb/defaults/main.yml
index b4e2669a5dd297d22793d27e5200f4c6dc8194b3..f5f5f2141bdc8c64e0ef7765acc3d2111640b8b4 100644
--- a/roles/aurweb/defaults/main.yml
+++ b/roles/aurweb/defaults/main.yml
@@ -9,6 +9,7 @@ aurweb_git_dir: "{{ aurweb_dir }}/aur.git"
 aurweb_git_hook: '/usr/local/bin/aurweb-git-update'
 aurweb_nginx_conf: '/etc/nginx/nginx.d/aurweb.conf'
 aurweb_version: 'live'
+aurweb_pgp_keys: ['0F985B6F99B6686854C44EC3F7E46DED420788F3']
 
 aurweb_db: 'aur'
 aurweb_db_host: 'localhost'
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 01c637afe86e6c26691399db1f5120bb2a57914f..5691b605f19f44203362567eb798155f4e4e8fc8 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -32,11 +32,21 @@
 - name: Create directory
   file: path={{ aurweb_dir }} state=directory owner={{ aurweb_user }} group=http mode=0775
 
+- name: receive valid signing keys
+  command: /usr/bin/gpg --keyserver keys.openpgp.org --recv {{ item }}
+  loop: '{{ aurweb_pgp_keys }}'
+  become: true
+  become_user: "{{ aurweb_user }}"
+  register: gpg
+  changed_when: "gpg.rc == 0"
+
 - name: clone aurweb repo
   git: >
     repo={{ aurweb_repository }}
     dest="{{ aurweb_dir }}"
     version={{ aurweb_version }}
+    verify_commit: true
+    gpg_whitelist: '{{ aurweb_pgp_keys }}'
   become: true
   become_user: "{{ aurweb_user }}"
   register: release