diff --git a/.gitignore b/.gitignore
index 177e86c..986d07a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-linux-*.tar.bz2
+linux-*.tar.gz
 linux-*.tar.xz
 linux-*.sign
 WireGuard-*.tar.xz
diff --git a/Makefile b/Makefile
index f8f5ac1..48151b3 100644
--- a/Makefile
+++ b/Makefile
@@ -11,14 +11,11 @@ SOURCEDIR := $(WORKDIR)
 
 NO_OF_CPUS := $(shell grep -c ^processor /proc/cpuinfo)
 
-BUILD_FLAVOR := pvops
-
 RPM_DEFINES := --define "_sourcedir $(SOURCEDIR)" \
 		--define "_specdir $(SPECDIR)" \
 		--define "_builddir $(BUILDDIR)" \
 		--define "_srcrpmdir $(SRCRPMDIR)" \
-		--define "_rpmdir $(RPMDIR)" \
-		--define "build_flavor $(BUILD_FLAVOR)"
+		--define "_rpmdir $(RPMDIR)"
 
 ifndef NAME
 $(error "You can not run this Makefile without having NAME defined")
@@ -30,6 +27,13 @@ ifndef RELEASE
 RELEASE := $(shell cat rel)
 endif
 
+ifneq ($(VERSION),$(subst -rc,,$(VERSION)))
+DOWNLOAD_FROM_GIT=1
+VERIFICATION := hash
+else
+VERIFICATION := signature
+endif
+
 all: help
 
 MIRROR := cdn.kernel.org
@@ -39,13 +43,13 @@ else
 SRC_BASEURL := $(DISTFILES_MIRROR)
 endif
 
+ifeq ($(VERIFICATION),signature)
 SRC_FILE := linux-${VERSION}.tar.xz
-ifeq ($(BUILD_FLAVOR),pvops)
 SIGN_FILE := linux-${VERSION}.tar.sign
 else
-SIGN_FILE := linux-${VERSION}.tar.bz2.sign
+SRC_FILE := linux-${VERSION}.tar.gz
+HASH_FILE := $(SRC_FILE).sha512
 endif
-HASH_FILE :=${SRC_FILE}.sha1sum
 
 WG_BASE_URL := https://git.zx2c4.com/WireGuard/snapshot
 WG_SRC_FILE := WireGuard-0.0.20190913.tar.xz
@@ -57,6 +61,10 @@ WG_SIG_URL := $(WG_BASE_URL)/$(WG_SIG_FILE)
 URL := $(SRC_BASEURL)/$(SRC_FILE)
 URL_SIGN := $(SRC_BASEURL)/$(SIGN_FILE)
 
+ifeq ($(DOWNLOAD_FROM_GIT),1)
+URL := https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-$(VERSION).tar.gz
+endif
+
 get-sources: $(SRC_FILE) $(SIGN_FILE) $(WG_SRC_FILE) $(WG_SIG_FILE)
 
 $(SRC_FILE):
@@ -79,14 +87,12 @@ import-keys:
 
 verify-sources: import-keys
 	@xzcat $(WG_SRC_FILE) | gpgv --keyring wireguard-trustedkeys.gpg $(WG_SIG_FILE) - 2>/dev/null
-ifeq ($(BUILD_FLAVOR),pvops)
+ifeq ($(VERIFICATION),signature)
 	@xzcat $(SRC_FILE) | gpgv --keyring linux-kernel-trustedkeys.gpg $(SIGN_FILE) - 2>/dev/null
 else
-#	@gpg --verify $(SIGN_FILE) $(SRC_FILE)
-#	The key has been compromised
-#	and kernel.org decided not to release signature
-#	with a new key... oh, well...
-	sha1sum --quiet -c ${HASH_FILE}
+	# there are no signatures for rc tarballs
+	# verify locally based on a signed git tag and commit hash file
+	sha512sum --quiet -c $(HASH_FILE)
 endif
 
 .PHONY: clean-sources
diff --git a/gen-config b/gen-config
index c718b4a..0d525a6 100755
--- a/gen-config
+++ b/gen-config
@@ -20,9 +20,9 @@ set -eu -o pipefail
 linux_merge_config="./scripts/kconfig/merge_config.sh"
 make_opts=""
 
-if [ -n "${RPM_PACKAGE_VERSION:-}" ]; then
-    linux_merge_config="../linux-$RPM_PACKAGE_VERSION/scripts/kconfig/merge_config.sh"
-    make_opts="-C ../linux-$RPM_PACKAGE_VERSION O=$PWD"
+if [ -n "${LINUX_UPSTREAM_VERSION:-}" ]; then
+    linux_merge_config="../linux-$LINUX_UPSTREAM_VERSION/scripts/kconfig/merge_config.sh"
+    make_opts="-C ../linux-$LINUX_UPSTREAM_VERSION O=$PWD"
 fi
 
 if [ -z "$linux_merge_config" ]; then
diff --git a/kernel.spec.in b/kernel.spec.in
index 89c695a..22fb6a9 100644
--- a/kernel.spec.in
+++ b/kernel.spec.in
@@ -2,10 +2,19 @@
 # Based on the Open SUSE kernel-spec & Fedora kernel-spec.
 #
 
-%define variant pvops.qubes
+%define variant qubes
 %define plainrel @REL@
 %define rel %{plainrel}.%{variant}
-%define version @VERSION@
+%define version %(echo '@VERSION@' | sed 's/~rc.*/.0/')
+%define upstream_version %(echo '@VERSION@' | sed 's/~rc/-rc/')
+%if "%{version}" != "%{upstream_version}"
+%define prerelease 1
+%define rel 0.%(echo '@VERSION@' | sed 's/.*~rc/rc/').%{plainrel}.%{variant}
+%else
+%define prerelease 0
+%define rel %{plainrel}.%{variant}
+%endif
+
 %define name_suffix -latest
 
 %define _buildshell /bin/bash
@@ -14,13 +23,13 @@
 %global cpu_arch x86_64
 %define cpu_arch_flavor %cpu_arch
 
-%define kernelrelease %(echo %{version} | sed 's/^3\\.[0-9]\\+$/\\0.0/')-%rel.%cpu_arch
+%define kernelrelease %(echo %{upstream_version} | sed 's/^[0-9]\\.[0-9]\\+$/\\0.0/;s/-rc.*/.0/')-%rel.%cpu_arch
 %define my_builddir %_builddir/%{name}-%{version}
 
-%define build_src_dir %my_builddir/linux-%version
+%define build_src_dir %my_builddir/linux-%upstream_version
 %define src_install_dir /usr/src/kernels/%kernelrelease
 %define kernel_build_dir %my_builddir/linux-obj
-%define vm_install_dir /var/lib/qubes/vm-kernels/%version-%{plainrel}
+%define vm_install_dir /var/lib/qubes/vm-kernels/%upstream_version-%{plainrel}
 
 %define install_vdso 1
 %define debuginfodir /usr/lib/debug
@@ -92,10 +101,13 @@ Conflicts:      lvm2 < 2.02.33
 Provides:       kernel = %kernelrelease
 Provides:       kernel-uname-r = %kernelrelease
 
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  x86_64
 
-Source0:        linux-%version.tar.xz
+%if !%{prerelease}
+Source0:        linux-%{upstream_version}.tar.xz
+%else
+Source0:        linux-%{upstream_version}.tar.gz
+%endif
 Source5:	WireGuard-0.0.20190913.tar.xz
 Source16:       guards
 Source17:       apply-patches
@@ -123,22 +135,21 @@ Patch13: 0014-xen-pciback-add-attribute-to-allow-MSI-enable-flag-w.patch
 Qubes Dom0 kernel.
 
 %prep
-if ! [ -e %_sourcedir/linux-%version.tar.xz ]; then
-    echo "The %name-%version.nosrc.rpm package does not contain the" \
-         "complete sources. Please install kernel-source-%version.src.rpm."
-    exit 1
-fi
-
 SYMBOLS="xen-dom0 pvops"
 
 # Unpack all sources and patches
 %autosetup -N -c -T -a 0
 
+export LINUX_UPSTREAM_VERSION=%{upstream_version}
+
 mkdir -p %kernel_build_dir
 
-cd linux-%version
+cd linux-%upstream_version
 %autopatch -p1
 
+# drop EXTRAVERSION - possible -rc suffix already included in %release
+sed -i -e 's/^EXTRAVERSION = -rc.*/EXTRAVERSION =/' Makefile
+
 cd %kernel_build_dir
 
 # Create QubesOS config kernel
@@ -147,7 +158,7 @@ cd %kernel_build_dir
 %build_src_dir/scripts/config \
         --set-str CONFIG_LOCALVERSION -%release.%cpu_arch %{setup_config}
 
-MAKE_ARGS="$MAKE_ARGS -C %build_src_dir O=$PWD"
+MAKE_ARGS="$MAKE_ARGS -C %build_src_dir O=$PWD KERNELRELEASE=%{kernelrelease}"
 
 make prepare $MAKE_ARGS
 make scripts $MAKE_ARGS
@@ -563,18 +574,18 @@ if [ "$current_default_package" = "%{name}-qubes-vm" ]; then
 
 # If qubes-prefs isn't installed yet, the default kernel will be set by %post
 # of qubes-core-dom0
-type qubes-prefs &>/dev/null && qubes-prefs --set default-kernel %version-%plainrel
+type qubes-prefs &>/dev/null && qubes-prefs --set default-kernel %upstream_version-%plainrel
 fi
 
 exit 0
 
 %preun qubes-vm
 
-if [ "`qubes-prefs -g default-kernel`" == "%version-%plainrel" ]; then
+if [ "`qubes-prefs -g default-kernel`" == "%upstream_version-%plainrel" ]; then
     echo "This kernel version is set as default VM kernel, cannot remove"
     exit 1
 fi
-if qvm-ls --kernel | grep -qw "%version-%plainrel"; then
+if qvm-ls --kernel | grep -qw "%upstream_version-%plainrel"; then
     echo "This kernel version is used by at least one VM, cannot remove"
     exit 1
 fi