diff --git a/_build/auto-build-committers.gnupg/pubring.gpg b/_build/auto-build-committers.gnupg/pubring.gpg
new file mode 100644
index 00000000..1a6a7433
Binary files /dev/null and b/_build/auto-build-committers.gnupg/pubring.gpg differ
diff --git a/_build/update_site.sh b/_build/update_site.sh
index 3b45531f..c02ecec1 100755
--- a/_build/update_site.sh
+++ b/_build/update_site.sh
@@ -7,6 +7,7 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin
 
 source /etc/profile.d/rvm.sh
 
+AUTHORIZED_SIGNERS_DIR=/bitcoin.org/auto-build-committers.gnupg
 REPO='https://github.com/bitcoin-dot-org/bitcoin.org.git'
 SITEDIR='/bitcoin.org/site'
 DESTDIR='build@bitcoinorgsite:/var/www/site'
@@ -39,6 +40,31 @@ fi
 git reset --hard origin/master
 git clean -x -f -d
 
+## Whether to auto-build or force-build
+case "${1:-nil}" in
+  auto)
+    ## From git-log(1):
+    ## %G?: show "G" for a Good signature, "B" for a Bad signature, "U"
+    ## for a good, untrusted signature and "N" for no signature
+    if ! GNUPGHOME=$AUTHORIZED_SIGNERS_DIR git log --format='%G?' -1 | egrep -q '^(G|U)$'
+    then
+      echo "Commit tree tip not signed by an authorized signer.  Terminating build."
+      exit 1
+    fi
+  ;;
+
+  force)
+    true
+  ;;
+
+  *)
+    echo "$0 <auto|force>"
+    echo
+    echo "auto: only builds if the latest commit is GPG signed by an authorized key"
+    echo "force: builds latest commit no matter what"
+  ;;
+esac
+
 # Copy files to temporary directory
 rsync -rt --delete "$SITEDIR/" "$WORKDIR/"