diff --git a/gentoostrap.sh b/gentoostrap.sh
index da0bc2a..e4ce2fa 100755
--- a/gentoostrap.sh
+++ b/gentoostrap.sh
@@ -97,10 +97,27 @@ build-gentoo() {
 			| uniq \
 			| head -n 1
 		)"
-	stage3file="$(mktemp "tmp.$USER.$_name.XXXXXX-stage3.tar.xz" -p "/tmp")"
+	stage3file="/tmp/tmp.$USER.$_name.stage3.tar.xz"
+	stage3sig="/tmp/tmp.$USER.$_name.stage3.tar.xz.DIGESTS.asc"
+	for file in "$stage3file" "$stage3sig"; do
+		touch "$file"
+		chmod 0600 "$file"
+	done
 	trap "cleanup $stage3file" EXIT
-	log "Getting tarball from: $stage3"
-	curl -s "$stage3" -o "$stage3file"
+	# We grab the signature first to verify the integrity of any tarball leftover from a previous run
+	log "Downloading stage3 signature"
+	curl -s "$stage3.DIGESTS.asc" -o "$stage3sig"
+	if ! [ -f "$stage3file" ]; then
+		log "Downloading stage3"
+		curl -s "$stage3" -o "$stage3file"
+	elif ! openssl dgst -r -sha512 "$stage3file"; then
+		log "Signature verification failed; downloading new stage3"
+		curl -s "$stage3" -o "$stage3file"
+	fi
+	# At this point, we should have a new stage3 that matches our signature; die of not
+	if ! openssl dgst -r -sha512 "$stage3file"; then
+		error "stage3 signature verification failed" 50
+	fi
 	log "Decompressing tarball; this will prompt for root privileges"
 	sudo tar xf "$stage3file" -C "$_optdest"