diff --git a/flake.nix b/flake.nix
index 7cc4ed7fe..51d818423 100644
--- a/flake.nix
+++ b/flake.nix
@@ -185,6 +185,7 @@
             buildPackages.git
             buildPackages.mercurial # FIXME: remove? only needed for tests
             buildPackages.jq # Also for custom mdBook preprocessor.
+            buildPackages.openssh # only needed for tests (ssh-keygen)
           ]
           ++ lib.optionals stdenv.hostPlatform.isLinux [(buildPackages.util-linuxMinimal or buildPackages.utillinuxMinimal)];
 
diff --git a/tests/functional/fetchGitVerification.sh b/tests/functional/fetchGitVerification.sh
new file mode 100644
index 000000000..4d9209498
--- /dev/null
+++ b/tests/functional/fetchGitVerification.sh
@@ -0,0 +1,76 @@
+source common.sh
+
+requireGit
+[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen
+
+enableFeatures "verified-fetches"
+
+clearStore
+
+repo="$TEST_ROOT/git"
+
+# generate signing keys
+keysDir=$TEST_ROOT/.ssh
+mkdir -p "$keysDir"
+ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
+key1File="$keysDir/testkey1.pub"
+publicKey1=$(awk '{print $2}' "$key1File")
+ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
+key2File="$keysDir/testkey2.pub"
+publicKey2=$(awk '{print $2}' "$key2File")
+
+git init $repo
+git -C $repo config user.email "foobar@example.com"
+git -C $repo config user.name "Foobar"
+git -C $repo config gpg.format ssh
+
+echo 'hello' > $repo/text
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
+
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
+
+echo 'hello world' > $repo/text
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
+
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
+
+# Flake input test
+flakeDir="$TEST_ROOT/flake"
+mkdir -p "$flakeDir"
+cat > "$flakeDir/flake.nix" <<EOF
+{
+  inputs.test = {
+    type = "git";
+    url = "file://$repo";
+    flake = false;
+    publicKeys = [
+      { type = "ssh-rsa"; key = "$publicKey2"; }
+    ];
+  };
+
+  outputs = { test, ... }: { test = test.outPath; };
+}
+EOF
+nix build --out-link "$flakeDir/result" "$flakeDir#test"
+[[ $(cat "$flakeDir/result/text") = 'hello world' ]]
+
+cat > "$flakeDir/flake.nix" <<EOF
+{
+  inputs.test = {
+    type = "git";
+    url = "file://$repo";
+    flake = false;
+    publicKey= "$publicKey1";
+  };
+
+  outputs = { test, ... }: { test = test.outPath; };
+}
+EOF
+out=$(nix build "$flakeDir#test" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]
\ No newline at end of file
diff --git a/tests/functional/local.mk b/tests/functional/local.mk
index 3679349f8..fe0d0c4ed 100644
--- a/tests/functional/local.mk
+++ b/tests/functional/local.mk
@@ -55,6 +55,7 @@ nix_tests = \
   secure-drv-outputs.sh \
   restricted.sh \
   fetchGitSubmodules.sh \
+  fetchGitVerification.sh \
   flakes/search-root.sh \
   readfile-context.sh \
   nix-channel.sh \