diff --git a/INSTALL.md b/INSTALL.md
index 817c1d1..42b2ca7 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -319,6 +319,12 @@ For the container image:
 gpg --verify container.tar.gz.asc container.tar.gz
 ```
 
+For the source package:
+
+```
+gpg --verify dangerzone-0.6.1.tar.gz.asc dangerzone-0.6.1.tar.gz
+```
+
 We also hash all the above files with SHA-256, and provide a list of these
 hashes as a separate file (`checksums-0.6.1.txt`). This file is signed as well,
 and the signature is embedded within it. You can download this file and verify
diff --git a/RELEASE.md b/RELEASE.md
index 0cf00ab..1c69a24 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -395,6 +395,14 @@ repo.
 
 To publish the release:
 
+- [ ] Create an archive of the Dangerzone source in `tar.gz` format:
+  * You can use the following command:
+
+    ```
+    export DZ_VERSION=$(cat share/version.txt)
+    git archive --format=tar.gz -o dangerzone-${DZ_VERSION:?}.tar.gz --prefix=dangerzone/ v${DZ_VERSION:?}
+    ```
+
 - [ ] Run container scan on the produced container images (some time may have passed since the artifacts were built)
 - [ ] Collect the assets in a single directory, calculate their SHA-256 hashes, and sign them.
   * You can use `./dev_scripts/sign-assets.py`, if you want to automate this
diff --git a/dev_scripts/sign-assets.py b/dev_scripts/sign-assets.py
index c272d4b..311203c 100755
--- a/dev_scripts/sign-assets.py
+++ b/dev_scripts/sign-assets.py
@@ -15,6 +15,7 @@ DZ_ASSETS = [
     "Dangerzone-{version}.msi",
     "Dangerzone-{version}-arm64.dmg",
     "Dangerzone-{version}-i686.dmg",
+    "dangerzone-{version}.tar.gz",
 ]
 DZ_SIGNING_PUBKEY = "DE28AB241FA48260FAC9B8BAA7C9B38522604281"