diff --git a/README.md b/README.md
index 248ee45..5596f46 100644
--- a/README.md
+++ b/README.md
@@ -3,3 +3,13 @@
 A small collection of scripts I use to control and automatically update my servers.
 
 **Released under GNU General Public License v3.0**
+
+## update.sh
+
+```
+Usage: update.sh [dir]
+```
+
+Updates the current (or given) git repository to the newest tag with given prefix (defined inline, by default "*^release*").
+Therefore, checks if the given tag is signed correctly by a gpg key with ultimate trust,
+otherwise the script will abort the update and exit with error code 1.
diff --git a/update.sh b/update.sh
new file mode 100755
index 0000000..512f191
--- /dev/null
+++ b/update.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e -u;
+
+if [ $# -eq 1 ]; then
+    cd "$1";
+fi
+
+PREFIX=release;
+
+git pull --tags;
+TAG=$(git tag --list | grep "^$PREFIX-" | sort -r | head -n 1);
+if git verify-tag "$TAG" | grep "TRUST_ULTIMATE" 2>&1 > /dev/null; then
+    git checkout "$TAG";
+    ./configure.sh;
+else
+    exit 1;
+fi