diff --git a/sig.txt b/sig.txt
new file mode 100644
index 0000000..cfa0675
--- /dev/null
+++ b/sig.txt
@@ -0,0 +1,6 @@
+a2a1ad7ba7f41dfca4514e2afeb90691719af6d0fdbed4b09bbf0ed897701ceb com.google.android.apps.youtube.music
+3d7a1223019aa39d9ea0e3436ab7c0896bfb4fb679f4de5fe7c23f326c8f994a com.google.android.youtube
+970b91143813b4c9d5f3634f672c9fcaa5621b4efaaedafd6c235cbbb869736f com.reddit.frontpage
+0fd9a0cfb07b65950997b4eaebdc53931392391aa406538a3b04073bc2ce2fe9 com.twitter.android
+9041803e91bcb814b4b4399fb5c85a91640b755e5e8ba76813814bf4cf2ab5ba com.zhiliaoapp.musically
+1338f9b049893cc70b78432a177582f90bd4bc6296ea4ed35bcc7df59687ac53 tv.twitch.android.app
\ No newline at end of file
diff --git a/utils.sh b/utils.sh
index 0679583..83b5abc 100755
--- a/utils.sh
+++ b/utils.sh
@@ -325,6 +325,15 @@ patch_apk() {
 	[ -f "$patched_apk" ]
 }
 
+check_sig() {
+	local file=$1 pkg_name=$2
+	local sig
+	if grep -q "$pkg_name" sig.txt; then
+		sig=$(java -jar "$APKSIGNER" verify --print-certs "$file" | grep ^Signer | grep SHA-256 | tail -1 | awk '{print $NF}')
+		grep -qFx "$sig $pkg_name" sig.txt
+	fi
+}
+
 build_rv() {
 	eval "declare -A args=${1#*=}"
 	local version build_mode_arr pkg_name
@@ -393,6 +402,9 @@ build_rv() {
 		done
 		if [ ! -f "$stock_apk" ]; then return 0; fi
 	fi
+	if ! check_sig "$stock_apk" "$pkg_name"; then
+		abort "apk signature mismatch '$stock_apk'"
+	fi
 	log "${table}: ${version}"
 
 	p_patcher_args+=("-m ${args[integ]}")