diff --git a/tools/dep_updaters/update-nghttp2.sh b/tools/dep_updaters/update-nghttp2.sh
index c53a620ba096ec..51c4a0ec093733 100755
--- a/tools/dep_updaters/update-nghttp2.sh
+++ b/tools/dep_updaters/update-nghttp2.sh
@@ -43,7 +43,20 @@ NGHTTP2_TARBALL="nghttp2-$NEW_VERSION.tar.gz"
 cd "$WORKSPACE"
 
 echo "Fetching nghttp2 source archive"
+SOURCE_CHECKSUM=$(curl -sL "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/checksums.txt" | grep $NGHTTP2_TARBALL)
 curl -sL -o "$NGHTTP2_TARBALL" "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/$NGHTTP2_TARBALL"
+ARCHIVE_CHECKSUM=$(shasum -a256 $NGHTTP2_TARBALL)
+
+if [ "$SOURCE_CHECKSUM" = "$ARCHIVE_CHECKSUM" ]; then
+  echo "Valid nghttp2 checksum $SOURCE_CHECKSUM"
+else
+  echo "ERROR: Invalid checksum of the downloaded nghttp2 archive:"
+  echo ""
+  echo "Original: $SOURCE_CHECKSUM"
+  echo "Download: $ARCHIVE_CHECKSUM"
+  exit 1
+fi
+
 gzip -dc "$NGHTTP2_TARBALL" | tar xf -
 rm "$NGHTTP2_TARBALL"
 mv "nghttp2-$NEW_VERSION" nghttp2