diff --git a/tasks/download.json b/tasks/download.json
index 38a5d30c..50e6076a 100644
--- a/tasks/download.json
+++ b/tasks/download.json
@@ -8,6 +8,11 @@
     "path": {
       "type": "String",
       "description": "Where to save the downloaded file"
+    },
+    "check_download": {
+      "type": "Boolean",
+      "description": "Whether to check the integrity of the downloaded file",
+      "default": true
     }
   },
   "input_method": "environment",
diff --git a/tasks/download.sh b/tasks/download.sh
index 6d342618..72f71b49 100755
--- a/tasks/download.sh
+++ b/tasks/download.sh
@@ -11,3 +11,35 @@ else
   printf '%s\n' "Downloading: ${PT_source}" >&2
   curl -f -L -o "$PT_path" "$PT_source"
 fi
+
+if [[ "$PT_check_download" == "false" ]]; then
+  exit 0
+fi
+
+if ! which -s gpg ; then
+  echo "gpg binary required in path for checking download. Skipping check."
+  exit 0
+fi
+
+echo "Importing Puppet gpg public key"
+gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key 4528B6CD9E61EF26
+if gpg --list-key --fingerprint 4528B6CD9E61EF26 | grep -q -E "D681 +1ED3 +ADEE +B844 +1AF5 +AA8F +4528 +B6CD +9E61 +EF26" ; then
+  echo "gpg public key imported successfully."
+else
+  echo "Could not import gpg public key - wrong fingerprint."
+  exit 1
+fi
+
+sigpath=${PT_path}.asc
+sigsource=${PT_source}.asc
+
+echo "Downloading tarball signature from ${sigsource}..."
+curl -f -L -o "${sigpath}" "${sigsource}"
+echo "Downloaded tarball signature to ${sigpath}."
+echo "Checking tarball signature at ${sigpath}..."
+if gpg --verify "${sigpath}" "${PT_path}" ; then
+  echo "Signature verification succeeded."
+else
+  echo "Signature verification failed, please re-run the installation."
+  exit 1
+fi