diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c
index 6f7bcb5f..a70fd659 100644
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@@ -962,13 +962,29 @@ scan_commit_object (OtPullData         *pull_data,
 
   if (pull_data->gpg_verify)
     {
-      if (!ostree_repo_verify_commit (pull_data->repo,
-                                      checksum,
-                                      NULL,
-                                      NULL,
-                                      cancellable,
-                                      error))
+      gs_unref_object OstreeGpgVerifyResult *result = NULL;
+
+      result = ostree_repo_verify_commit_ext (pull_data->repo,
+                                              checksum,
+                                              NULL,
+                                              NULL,
+                                              cancellable,
+                                              error);
+
+      if (result == NULL)
         goto out;
+
+      /* Allow callers to output the results immediately. */
+      g_signal_emit_by_name (pull_data->repo,
+                             "gpg-verify-result",
+                             checksum, result);
+
+      if (ostree_gpg_verify_result_count_valid (result) == 0)
+        {
+          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                       "GPG signatures found, but none are in trusted keyring");
+          goto out;
+        }
     }
 
   if (!ostree_repo_load_variant (pull_data->repo, OSTREE_OBJECT_TYPE_COMMIT, checksum,
diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
index 62500518..25400463 100644
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@@ -77,6 +77,10 @@
  */
 typedef struct {
   GObjectClass parent_class;
+
+  void (*gpg_verify_result) (OstreeRepo *self,
+                             const char *checksum,
+                             OstreeGpgVerifyResult *result);
 } OstreeRepoClass;
 
 enum {
@@ -85,6 +89,13 @@ enum {
   PROP_PATH
 };
 
+enum {
+  GPG_VERIFY_RESULT,
+  LAST_SIGNAL
+};
+
+static guint signals[LAST_SIGNAL] = { 0 };
+
 G_DEFINE_TYPE (OstreeRepo, ostree_repo, G_TYPE_OBJECT)
 
 GS_DEFINE_CLEANUP_FUNCTION0(GKeyFile*, local_keyfile_unref, g_key_file_unref)
@@ -472,6 +483,29 @@ ostree_repo_class_init (OstreeRepoClass *klass)
                                                         "",
                                                         G_TYPE_FILE,
                                                         G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+
+  /**
+   * OstreeRepo::gpg-verify-result:
+   * @self: an #OstreeRepo
+   * @checksum: checksum of the signed object
+   * @result: an #OstreeGpgVerifyResult
+   *
+   * Emitted during a pull operation upon GPG verification (if enabled).
+   * Applications can connect to this signal to output the verification
+   * results if desired.
+   *
+   * The signal will be emitted from whichever #GMainContext is the
+   * thread-default at the point when ostree_repo_pull_with_options()
+   * is called.
+   */
+  signals[GPG_VERIFY_RESULT] = g_signal_new ("gpg-verify-result",
+                                             OSTREE_TYPE_REPO,
+                                             G_SIGNAL_RUN_LAST,
+                                             G_STRUCT_OFFSET (OstreeRepoClass, gpg_verify_result),
+                                             NULL, NULL, NULL,
+                                             G_TYPE_NONE, 2,
+                                             G_TYPE_STRING,
+                                             OSTREE_TYPE_GPG_VERIFY_RESULT);
 }
 
 static void