diff --git a/gnutls.changes b/gnutls.changes
index 78c0528..91a50b7 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 24 13:16:02 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Install checksums for binary integrity verification which are
+  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
+
 -------------------------------------------------------------------
 Wed Jul 31 17:05:53 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/gnutls.spec b/gnutls.spec
index 7ae1125..3cc0a25 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -44,6 +44,7 @@ BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
 BuildRequires:  fdupes
+BuildRequires:  fipscheck
 BuildRequires:  gcc-c++
 # The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
 BuildRequires:  iproute2
@@ -185,6 +186,21 @@ export CXXFLAGS="%{optflags} -fPIE"
 	%{nil}
 make %{?_smp_mflags}
 
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
+%{expand:%%global __os_install_post {%__os_install_post
+%{_bindir}/fipshmac %{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}
+}}
+
 %install
 %make_install
 rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
@@ -252,6 +268,7 @@ make %{?_smp_mflags} check || {
 
 %files -n libgnutls%{gnutls_sover}
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
+%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}