diff --git a/flake.nix b/flake.nix
index bdbf541693a..41808098eda 100644
--- a/flake.nix
+++ b/flake.nix
@@ -121,6 +121,7 @@
             buildPackages.git
             buildPackages.mercurial # FIXME: remove? only needed for tests
             buildPackages.jq # Also for custom mdBook preprocessor.
+            buildPackages.openssh # only needed for tests (ssh-keygen)
           ]
           ++ lib.optionals stdenv.hostPlatform.isLinux [(buildPackages.util-linuxMinimal or buildPackages.utillinuxMinimal)];
 
diff --git a/tests/fetchGitVerification.sh b/tests/fetchGitVerification.sh
new file mode 100644
index 00000000000..99e15772f0a
--- /dev/null
+++ b/tests/fetchGitVerification.sh
@@ -0,0 +1,40 @@
+source common.sh
+
+requireGit
+[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen as well
+
+clearStore
+
+repo="$TEST_ROOT/git"
+
+export _NIX_FORCE_HTTP=1
+
+# generate signing keys
+keysDir=$TEST_ROOT/.ssh
+mkdir -p "$keysDir"
+ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
+key1File="$keysDir/testkey1.pub"
+publicKey1=$(awk '{print $2}' "$key1File")
+ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
+key2File="$keysDir/testkey2.pub"
+publicKey2=$(awk '{print $2}' "$key2File")
+
+git init $repo
+git -C $repo config user.email "foobar@example.com"
+git -C $repo config user.name "Foobar"
+git -C $repo config gpg.format ssh
+
+echo "hello" > $repo/text
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
+
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
+
+echo "hello world" > $repo/text
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
+
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
diff --git a/tests/local.mk b/tests/local.mk
index 2afe912203f..b43d43bdf4e 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -54,6 +54,7 @@ nix_tests = \
   secure-drv-outputs.sh \
   restricted.sh \
   fetchGitSubmodules.sh \
+  fetchGitVerification.sh \
   flakes/search-root.sh \
   readfile-context.sh \
   nix-channel.sh \