diff --git a/impl/create_srpm_for_others.go b/impl/create_srpm_for_others.go
index 8f4dfd1..d77eaa4 100644
--- a/impl/create_srpm_for_others.go
+++ b/impl/create_srpm_for_others.go
@@ -50,6 +50,19 @@ func (bldr *srpmBuilder) getUpstreamSourceForOthers(upstreamSrcFromManifest mani
 	}
 	bldr.log("downloaded")
 
+	if upstreamSrcFromManifest.Sha256 != "" {
+		srcFilePath := filepath.Join(downloadDir, upstreamSrc.sourceFile)
+		sha256Hash, err := util.GenerateSha256Hash(srcFilePath)
+		if err != nil {
+			return nil, fmt.Errorf("%s SHA256 generation failed with '%s'", bldr.errPrefix, err)
+		}
+		sha256InManifest := upstreamSrcFromManifest.Sha256
+		if sha256Hash != sha256InManifest {
+			return nil, fmt.Errorf("%s bad SHA256: '%s' expected: '%s'",
+				bldr.errPrefix, sha256Hash, sha256InManifest)
+		}
+	}
+
 	upstreamSrc.skipSigCheck = upstreamSrcFromManifest.Signature.SkipCheck
 	pubKey := upstreamSrcFromManifest.Signature.DetachedSignature.PubKey
 
diff --git a/impl/create_srpm_from_others_test.go b/impl/create_srpm_from_others_test.go
index 92981df..bafdf04 100644
--- a/impl/create_srpm_from_others_test.go
+++ b/impl/create_srpm_from_others_test.go
@@ -42,3 +42,11 @@ func TestMatchTarballSignature(t *testing.T) {
 	t.Log("Test tarball Signatue Match")
 	testTarballSig(t, "matchTarball")
 }
+
+func TestUpstreamSourcesSHA256Hash(t *testing.T) {
+	pkg := "bandit"
+	cwd, _ := os.Getwd()
+	repo := filepath.Join(cwd, "testData/upstream-hash-check-bad")
+	createSrpmErr := CreateSrpm(repo, pkg, CreateSrpmExtraCmdlineArgs{})
+	require.NotEqual(t, nil, createSrpmErr)
+}
diff --git a/impl/testData/upstream-hash-check-bad/eext.yaml b/impl/testData/upstream-hash-check-bad/eext.yaml
new file mode 100644
index 0000000..37f475d
--- /dev/null
+++ b/impl/testData/upstream-hash-check-bad/eext.yaml
@@ -0,0 +1,16 @@
+---
+package:
+  - name: bandit
+    upstream-sources:
+      - source-bundle:
+          name: srpm
+          override:
+            version: 1.7.7-1.fc40
+        signature:
+          skip-check: true
+        Sha256: c2b29c064e8c9dcf92fe21b416d2sfgsgsfg94d7850gbdfhghd
+    type: srpm
+    build:
+      repo-bundle:
+        - name: el9
+        - name: epel9
diff --git a/manifest/manifest.go b/manifest/manifest.go
index 5296447..6c1f836 100644
--- a/manifest/manifest.go
+++ b/manifest/manifest.go
@@ -131,6 +131,7 @@ type UpstreamSrc struct {
 	FullURL      string       `yaml:"full-url"`
 	GitBundle    GitBundle    `yaml:"git"`
 	Signature    Signature    `yaml:"signature"`
+	Sha256       string       `yaml:"Sha256"`
 }
 
 // Package spec
diff --git a/util/util.go b/util/util.go
index c0318e2..3db9d06 100644
--- a/util/util.go
+++ b/util/util.go
@@ -4,6 +4,7 @@
 package util
 
 import (
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
@@ -161,3 +162,18 @@ func GetRepoDir(repo string) string {
 	}
 	return repoDir
 }
+
+// Generate SHA256 hash of file
+func GenerateSha256Hash(filePath string) (string, error) {
+	file, err := os.Open(filePath)
+	if err != nil {
+		return "", fmt.Errorf("GenerateSha256Hash: %s", err)
+	}
+	defer file.Close()
+	hashComputer := sha256.New()
+	if _, err := io.Copy(hashComputer, file); err != nil {
+		return "", fmt.Errorf("GenerateSha256Hash: %s", err)
+	}
+	sha256Hash := fmt.Sprintf("%x", hashComputer.Sum(nil))
+	return sha256Hash, nil
+}