diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 92d5526dea..2be29c6a6b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -57,6 +57,7 @@ lint:
     - ./tools/check-localized-metadata.py || export EXITVALUE=1
     - ./tools/check-keyalias-collision.py || export EXITVALUE=1
     - ./tools/check-metadata-summary-whitespace.py || export EXITVALUE=1
+    - ./tools/check-for-unattached-signatures.py || export EXITVALUE=1
     - exit $EXITVALUE
 
 trigger-issuebot:
diff --git a/tools/check-for-unattached-signatures.py b/tools/check-for-unattached-signatures.py
new file mode 100755
index 0000000000..03dd226ebb
--- /dev/null
+++ b/tools/check-for-unattached-signatures.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+#
+#
+# Apps with reproducible builds include the APK Signature files in the
+# metadata.  If there is no matching entry in Builds:, then those
+# files are useless cruft.
+
+import glob
+import os
+import yaml
+
+errors = 0
+for d in glob.glob('metadata/*/signatures/[0-9]*'):
+    appid = os.path.basename(os.path.dirname(os.path.dirname(d)))
+    with open(os.path.join('metadata', appid + '.yml')) as fp:
+        app = yaml.safe_load(fp)
+    versionCode = os.path.basename(d)
+    found = False
+    for build in app['Builds']:
+        if int(versionCode) == int(build['versionCode']):
+            found = True
+            break
+    if not found:
+        print('ERROR: found signatures files with no matching build:')
+        for f in os.listdir(d):
+            print('\t', os.path.join(d, f))
+
+exit(errors)