=== modified file 'lisp/emacs-lisp/package.el'
--- lisp/emacs-lisp/package.el	2013-08-03 02:34:22 +0000
+++ lisp/emacs-lisp/package.el	2013-09-30 16:50:40 +0000
@@ -739,13 +739,44 @@
       (error "Error during download request:%s"
 	     (buffer-substring-no-properties (point) (line-end-position))))))
 
+(declare-function epg-make-context "epg"
+		  (&optional protocol armor textmode include-certs
+			     cipher-algorithm
+			     digest-algorithm
+			     compress-algorithm))
+(declare-function epg-context-set-home-directory "epg" (context directory))
+(declare-function epg-verify-file "epg" (context signature
+						 &optional signed-text plain))
+
+(defun package--check-signature (pkg-desc)
+  "Check signature of a package.
+GnuPG keyring is located under \"gnupg\" in `package-user-dir'."
+  (let* ((location (package-archive-base pkg-desc))
+	 (sig-file (concat (package-desc-full-name pkg-desc)
+			   (package-desc-suffix pkg-desc)
+			   ".sig"))
+	 (signature (package--with-work-buffer location sig-file
+		      (buffer-string)))
+	 (context (epg-make-context 'OpenPGP)))
+    (epg-context-set-home-directory context
+				    (expand-file-name "gnupg" package-user-dir))
+    (epg-verify-file context signature (buffer-string))))
+
 (defun package-install-from-archive (pkg-desc)
   "Download and install a tar package."
   (let ((location (package-archive-base pkg-desc))
 	(file (concat (package-desc-full-name pkg-desc)
                       (package-desc-suffix pkg-desc))))
     (package--with-work-buffer location file
-      (package-unpack pkg-desc))))
+      (if (condition-case nil
+	      (progn
+		(package--check-signature pkg-desc)
+		t)
+	    (error (y-or-n-p
+		    (format "Cannot verify signature of `%s'; \
+install it anyway? "
+			    (package-desc-name pkg-desc)))))
+	  (package-unpack pkg-desc)))))
 
 (defvar package--initialized nil)