diff --git a/pkgs/applications/networking/browsers/firefox/update.nix b/pkgs/applications/networking/browsers/firefox/update.nix
index e12b552535d..b297e9727b0 100644
--- a/pkgs/applications/networking/browsers/firefox/update.nix
+++ b/pkgs/applications/networking/browsers/firefox/update.nix
@@ -6,6 +6,7 @@
 , gnused
 , gnugrep
 , curl
+, gnupg
 , attrPath
 , runtimeShell
 , baseUrl ? "http://archive.mozilla.org/pub/firefox/releases/"
@@ -15,7 +16,12 @@
 
 writeScript "update-${attrPath}" ''
   #!${runtimeShell}
-  PATH=${lib.makeBinPath [ common-updater-scripts coreutils curl gnugrep gnused xidel ]}
+  PATH=${lib.makeBinPath [ common-updater-scripts coreutils curl gnugrep gnupg gnused xidel ]}
+
+  set -eux
+  HOME=`mktemp -d`
+  export GNUPGHOME=`mktemp -d`
+  gpg --import ${../firefox-bin/mozilla.asc}
 
   url=${baseUrl}
 
@@ -31,5 +37,11 @@ writeScript "update-${attrPath}" ''
            sort --version-sort | \
            tail -n 1`
 
-  update-source-version ${attrPath} "$version" "" "" --version-key=${versionKey}
+  curl --silent --show-error -o "$HOME"/shasums "$url$version/SHA512SUMS"
+  curl --silent --show-error -o "$HOME"/shasums.asc "$url$version/SHA512SUMS.asc"
+  gpgv --keyring="$GNUPGHOME"/pubring.kbx "$HOME"/shasums.asc "$HOME"/shasums
+
+  hash=$(grep '\.source\.tar\.xz$' "$HOME"/shasums | grep '^[^ ]*' -o)
+
+  update-source-version ${attrPath} "$version" "$hash" "" --version-key=${versionKey}
 ''