diff --git a/keys/joshdata.asc b/keys/joshdata.asc
new file mode 100644
index 00000000..e212cee1
--- /dev/null
+++ b/keys/joshdata.asc
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFN+hN4BCADARMfTK/kDWNz5tFVXXrLfY0QSF9CBO4+vor3MVUmq5ygMcyq4
+NX1FVDKoruzCo5hI/91o1QZuer5oZ716TACg46XivdgL66Y7rMZL5rVDmUKuDWit
+tpVrL0Gaw6xsu7/ZloFDyHI5yUvB1cdGe4HYZY1Xn/2CE0YJaXxO2JjkTNWSiutx
+LA0RV08nPeaiAt1KcCa2tO7RkG51uC0O3O67xr6xz6/q95Q2DBJpLYpoh+6yIoEY
+L736peHQKZfcFfCOPQKpxKW+SEsUTvJ8qzQipGYpugiGGhDHzXBYKJk1V77BbWAP
+3x4Ubj4UWFB54yhgPrBgvQajvoB08mzZEnopABEBAAG0IEpvc2h1YSBUYXViZXJl
+ciA8anRAb2NjYW1zLmluZm8+iQE5BBMBAgAjBQJTfoTeAhsDBwsJCAcDAgEGFQgC
+CQoLBBYCAwECHgECF4AACgkQuSBB9MEL3YFFOQgAkDfptbzC9Lq4zstIfUPl4by/
+NeoCpsYahaNwWLYiDpQEUZIOsJO1Qi2IFll4tXAyDTGAXYZCbf4+v1lzVyN49h5j
+70BuajISI6dcAb1IEZzIXx0vV1rMuu0iNYdwhFNi8KrP5iR3BHwZZ5Lql1UdkJNT
+xVrz4cmr5jPGdFRizD9MXrI4bvt+pSOeykJasuTeH7a3uHBMPyydAivtbNRbo+Zn
+IgV25FUADSFt6xD9AKfq6wLxN+P8P6PE/jZWDv9W4KtR5TqAhCq7D7Yvk8aJXubN
+P2xfjFl6TXa5bcuHuldkmx5lacpag2HSmivIT261W3pIVC3lrkxB8T6rdux8ErkB
+DQRTfoTeAQgAn5ijmVJtxPGvbdcaCsYD3+fCnAKNEdAJtJcy/e/lowKeEiIJZ9qV
+ATFIFmIG9VZunZ7nD5F/4KMj6ht0JTXuY458VjK9jO1bPU2YM7Xo7zjJi8bFI0B/
+2ya95M7polLUF/lhKHKUuxxANAW4guLahe5JotUnoRycxQkKWBhTF5VdayucSAZG
+XlmSBUjIGjHbmTI50dAMQZffNOIvDIkpeCEQjPVRObCvr18xKDHhBaEJhd+wfA2T
+6N4fMlwBgfeR1zdFrGt2SshVc28YvaoccWmP1xn6w/30J25swadeuDYZFckXjVv7
+HPLtvyzuNdf7pI0A9rnlGF5rNt6yKSqeiQARAQABiQEfBBgBAgAJBQJTfoTeAhsM
+AAoJELkgQfTBC92B0rAH/0hSoHcB5WIn4GLTz0D0wWQ6Y2wKDixOBGvH+S9aroSc
+0bKud7VphpFm/4CKWOZ0sphsnmRZ2Dsk/3996pXjLL5T1HWgAkltYmTdWEg9BiEj
+PlbcImF95tILJ7GC0QrXipUx+ktLayiT5LjcbZiYCGaWVdJM2hVdOLdHhh84dqNX
+xautvI8RDFI1lN0RdyFA5CQAvIWOSTLC1QdLAgkCf7+uQGwUo2ubgapPWptRJYk8
+rZuw6+Vi3NETYO0ExDxTFmVKRlMidsE0azMeY6JYpKb9jewKngfxa6oUSaygrhxQ
+9gESPA2XZUvx/3PWBAMskBZxjOH/Lhabls0AUxaOYf0=
+=SHsx
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index eed4b0e3..903d83eb 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -1,11 +1,14 @@
 #!/bin/bash
-#########################################################
-# This script is intended to be run like this:
+################################################################
+#
+# This script is posted on HTTPS to make first-time installation
+# super simple. Download and pipe to bash, e.g.:
 #
 #   curl https://.../bootstrap.sh | sudo bash
 #
-#########################################################
+################################################################
 
+# What is the current version?
 if [ -z "$TAG" ]; then
 	TAG=v0.08
 fi
@@ -35,17 +38,6 @@ fi
 # Change directory to it.
 cd $HOME/mailinabox
 
-# Update it.
-if [ "$TAG" != `git describe` ]; then
-	echo Updating Mail-in-a-Box to $TAG . . .
-	git fetch --depth 1 --force --prune origin tag $TAG
-	if ! git checkout -q $TAG; then
-		echo "Update failed. Did you modify something in `pwd`?"
-		exit
-	fi
-	echo
-fi
-
-# Start setup script.
-setup/start.sh
+# Run the upgrade script, which in turn runs the setup script.
+setup/upgrade.sh $TAG
 
diff --git a/setup/system.sh b/setup/system.sh
index 259c8768..818078e3 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -20,13 +20,14 @@ apt_get_quiet upgrade
 # * cron: Runs background processes periodically.
 # * ntp: keeps the system time correct
 # * fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall
+# * gpg: used by upgrade.sh to verify the Mail-in-a-Box tag signature, also by duplicity to make backups
 # * git: we install some things directly from github
 # * sudo: allows privileged users to execute commands as root without being root
 # * coreutils: includes `nproc` tool to report number of processors
 # * bc: allows us to do math to compute sane defaults
 
 apt_install python3 python3-dev python3-pip \
-	wget curl git sudo coreutils bc \
+	wget curl gpg git sudo coreutils bc \
 	haveged unattended-upgrades cron ntp fail2ban
 
 # Allow apt to install system updates automatically every day.
diff --git a/setup/upgrade.sh b/setup/upgrade.sh
new file mode 100755
index 00000000..fba9c7c8
--- /dev/null
+++ b/setup/upgrade.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+# Updates an existing Mail-in-a-Box installation to a newer tag.
+################################################################
+
+# Are we running as root?
+if [[ $EUID -ne 0 ]]; then
+	echo "This script must be run as root. Did you leave out sudo?"
+	exit
+fi
+
+# Was a tag specified on the command line?
+TAG=$1
+if [ -z "$TAG" ]; then
+	echo "Usage: setup/upgrade.sh TAGNAME"
+	exit 1
+fi
+
+# Is Mail-in-a-Box already installed?
+if [ ! -d $HOME/mailinabox ]; then
+	echo Could not find your Mail-in-a-Box installation at $HOME/mailinabox.
+	exit 1
+fi
+
+# Change directory to it.
+cd $HOME/mailinabox
+
+# Are we on that tag?
+if [ "$TAG" == `git describe` ]; then
+	echo "You already have Mail-in-a-Box $TAG. Run"
+	echo "  sudo setup/start.sh"
+	echo "if there are any problems."
+	exit 1
+fi
+
+# Fetch that tag.
+# bootstrap.sh script makes a shallow clone of our repository,
+# which makes the download faster, but it also makes it harder
+# to switch to a different tag. This magic combination of options
+# to git seems to do the trick.
+echo Updating Mail-in-a-Box to $TAG . . .
+git fetch --depth 1 --force --prune origin tag $TAG
+
+# Check that the tag exists and we're moving to a later version, not backwards.
+CUR_VER_TIMESTAMP=$(git show -s --format="%ct") # commit time of HEAD
+NEW_VER_TIMESTAMP=$(git show -s --format="%ct" $TAG^{tag}^{commit}) # commit time of the commit that the tag tags
+if [ -z "$NEW_VER_TIMESTAMP" ]; then echo "$TAG is not a version of Mail-in-a-Box."; exit 1; fi
+if [ $CUR_VER_TIMESTAMP -gt $NEW_VER_TIMESTAMP ]; then
+	echo -n "$TAG is older than the version you currently have installed: "
+	git describe
+	exit 1
+fi
+
+# Set up a temporary GPG keyring specifically for holding the
+# Mail-in-a-Box maintainer's signing key. Load the keys found
+# in the Mail-in-a-Box installation path. These keys are trusted
+# in so far as the user has already gotten them. On first installs,
+# we just bootstrap by assuming whatever is in github is good.
+KEYRING=/tmp/miab-upgrade-keyring
+rm -rf $KEYRING
+mkdir -p $KEYRING
+for key in `find keys/ -type f`; do
+	GNUPGHOME=$KEYRING gpg --import $key
+done
+
+# Prior to checking out the tag, verify that it was signed by a
+# known key. gpg will return a success exit code if the tag is
+# signed by any key known to gpg, whether trusted or not, which
+# is why we establish a separate keyring for this purpose.
+if ! GNUPGHOME=$KEYRING git verify-tag $TAG 2>&1 > /dev/null; then
+	echo "$TAG was not signed by the Mail-in-a-Box authors. This could"
+	echo "indicate the github repository has been compromised. Check"
+	echo "https://twitter.com/mailinabox and https://mailinabox.email/"
+	echo "for further instructions, although keep in mind that those"
+	echo "resources could be compromised as well."
+	exit 1
+fi
+
+# Clean up.
+rm -rf $KEYRING
+
+# Checkout the tag.
+if ! git checkout -q $TAG; then
+	echo "Update failed. Did you modify something in `pwd`?"
+	exit
+fi
+
+# Start setup script.
+setup/start.sh