diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index 8e0f3d6..1c40e95 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -15,7 +15,35 @@ source=("git+https://github.com/p11-glue/p11-kit#commit=$_commit"
         libnssckbi-compat.patch)
 sha256sums=('SKIP'
             '8f763cdbc6c0ca6c5a7898f9fd6f3018b7ac5b1aca36f67c6c813343c2962962')
-validpgpkeys=('C0F67099B808FB063E2C81117BFB1108D92765AF')
+validpgpkeys=('C0F67099B808FB063E2C81117BFB1108D92765AF'    # Stef Walter
+              '462225C3B46F34879FC8496CD605848ED7E69871')   # Daiki Ueno
+
+_validate_tag() {
+  local success fingerprint trusted status tag=${pkgver}
+
+  parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
+
+  if (( ! success )); then
+    error 'failed to validate tag %s\n' "$tag"
+    return 1
+  fi
+
+  if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
+    error 'unknown or untrusted public key: %s\n' "$fingerprint"
+    return 1
+  fi
+
+  case $status in
+    'expired')
+      warning 'the signature has expired'
+      ;;
+    'expiredkey')
+      warning 'the key has expired'
+      ;;
+  esac
+
+  return 0
+}
 
 pkgver() {
   cd $pkgname
@@ -25,6 +53,8 @@ pkgver() {
 prepare() {
   cd $pkgname
 
+    _validate_tag || return
+
   # Build and install an additional library (libnssckbi-p11-kit.so) which
   # is a copy of p11-kit-trust.so but uses the same label for root certs as
   # libnssckbi.so ("Builtin Object Token" instead of "Default Trust")