diff --git a/.sig/manifest.8E47A1EC35A1551D.asc b/.sig/manifest.8E47A1EC35A1551D.asc
index 3d15de3..5e0832e 100644
--- a/.sig/manifest.8E47A1EC35A1551D.asc
+++ b/.sig/manifest.8E47A1EC35A1551D.asc
@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+t+2oACgkQjkeh7DWh
-VR2IXhAAjmTd0B6opCTpBLztUvFugGMTQ9RoTxJnK3tubVyr0iM5qwMeg4odVvew
-6pDtOG5prIqaj1cx97ehwN/zs76HCRUYOguZ4y7RTnOW+tvrz1DOmqT61AyJK1Lz
-8lPhtR6HsomPznrBRQBz91JC8BPsVKnmXAtJyQlhY6kk6uRIyUVCvuHcz8i2H/Ao
-GmPlbP6B0uDwiXhK0zF0v3wccoIIIylMsOW2hUHdJ1FKIn6DX795MmDK8SfPqFkE
-t0UfHiAraG98+2rwF3Hppu3+8DkqfdKJzAwKKjT+WUJz4XHNVQi7eVDBkH8MEegp
-ntFFaIACZ0kNSctD9OGPofkCgrh/r+RviTD1lCxYLWfSVEAceOwTSBC8nRPNZysq
-60/WHumYuOkQqaN+LCLNHie4HryP5DBq2O9nmVglRzj9IDvcXronC0ug7VLEcfMZ
-crId3FQUU/rgZE/VbwvfWxflSyj32QHMRpd1yFadeOWBt08cRkj0zMF0rUeeoJJy
-JGXbhEV9Irtga2iss2FDijBzHMJIVu/Rfq9boV4YAip5dE0jKZyy6X+pLxFpxUlz
-Etbsrzn9W0Z55srHDOCeYDyGm4p6rNDQTOTJFswLUXmW1A7M/Vx9ZuMR2tT0vv9D
-WeJkGX764VHEgHABfsdRsvSm1xOPy+Du10gUkPyGT/HHcAdhwww=
-=MuI6
+iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+vC2EACgkQjkeh7DWh
+VR3B2BAAsJ8v5t+9jzTljECYmpkvepZB2zquAX+U9e9OhPOTuSueI8vOI/1Ywu6I
+Vsix5eXWUozEU4Dc4KldX1Eryqbb5euI/JHrLYpiQrtfoudnbQNZLP+vWadiepBG
+Q9VFBWlZRVvcJ5elJk/1Qk1+Ufxu2grp7pWCU9616ii79f3f0lHknMexcvnbGr/s
+WSCtdhFDApRqcFfwpBX1wvpamClOAwAj+6MoG7CqCxHeMLmOVeKlMGiCLiwor9K9
+eAj1D2tovdMBBYT8gvwLVSnRZS5Yl1cEE6ewVxA2Pqnhc4M71SRKa2gEaKVT+LyL
+hJ8JOYiKrX+sxdvf9N3IewgxgDgAViMSBitQ+EguEiJTCwtGZKmAp1LRMqzC16pW
+Ike+uMTj1LWhe7zGWlsqG1kLR7mDrqXWYraj70A/siAghkPB1Bj7MINI4v8K8dN/
+z3oPJYYme2qno5vWtoPFVBY+P/n/MbQRJl3Va9VVU6vkHn3xz32F2Td60TA4Fkqg
+irmK+WNWDwtksAcI9pAlegCi60k2fH1AJppC2vPGSS9fqw6lm/+zBKkBJpOiOxAj
+nb1jq16lIugVus7eMmoJ/DNpSlSBCcUwKou9Ns4EuXTdXWKfklLKzcfD3y+UMAm7
+I84Ns0GkCmdQQg4uqoBIRX8Q7Wi6tx3hL9y4q3GFvOSJBPd8jzs=
+=3lXa
 -----END PGP SIGNATURE-----
diff --git a/.sig/manifest.txt b/.sig/manifest.txt
index b14d6c0..17624f7 100644
--- a/.sig/manifest.txt
+++ b/.sig/manifest.txt
@@ -1,2 +1,2 @@
 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
-9c0292898230fb016b00b0f4c72e79b839bb5395f299feb97222e3035e05c6eb sig
+e659c0fc9b60694b31b13939d2dd36b97be56dc1d781ba8b352c466456e57a21 sig
diff --git a/sig b/sig
index 83b919c..307d635 100755
--- a/sig
+++ b/sig
@@ -78,14 +78,22 @@ cmd_manifest() {
 }
 
 verify_file() {
-	[ $# -eq 2 ] || die \
-		"Usage: verify_file <threshold> <file>"
+	[ $# -eq 3 ] || die \
+		"Usage: verify_file <threshold> <group> <file>"
 	local threshold="${1}"
-	local filename="${2}"
+	local group="${2}"
+	local filename="${3}"
+	local group_config=""
 	local sig_count=0
 	local seen_fingerprints=""
 	local fingerprint
 	local signer
+
+	[ ! -z "$group" ] && group_config="$( \
+		gpg --with-colons --list-config group \
+		| grep -i "^cfg:group:${group}:" \
+	)" || die "Error: group \"${group}\" not found in ~/.gnupg/gpg.conf"
+
 	for sig_filename in "${filename%.*}".*.asc; do
 		gpg --verify "${sig_filename}" "${filename}" >/dev/null 2>&1 || {
 			echo "Invalid signature: ${sig_filename}";
@@ -103,11 +111,16 @@ verify_file() {
 			| awk -F: '$1 == "uid" {print $10}' \
 			| head -n1 \
 		)
-		[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] && {
-			echo "Duplicate signature: ${sig_filename}";
-			exit 1;
-		}
+
+		[[ "${seen_fingerprints}" == *"${fingerprint}"* ]] \
+			&& die "Duplicate signature: ${sig_filename}";
+
+		[ ! -z "$group_config" ] \
+			&& [[ "${group_config}" != *"${fingerprint}"* ]] \
+			&& die "Signature not in group \"${group}\": ${sig_filename}";
+
 		echo "Verified signature by \"${signer}\""
+
 		seen_fingerprints="${seen_fingerprints} ${fingerprint}"
 		((sig_count=sig_count+1))
 	done
@@ -118,16 +131,22 @@ verify_file() {
 }
 
 cmd_verify() {
-	#TODO: support --min to override the default minimum of 3
-	local min=3
-	#TODO: support --group for a gpg-group
-	local group=""
+	local opts selected_line min=1 group=""
+	opts="$(getopt -o m:g: -l min:,group: -n "$PROGRAM" -- "$@")"
+	local err=$?
+	eval set -- "$opts"
+	while true; do case $1 in
+		-m|--min) min="$2"; shift 2 ;;
+		-g|--group) group="$2"; shift 2 ;;
+		--) shift; break ;;
+	esac done
+
 	#TODO: if git: show git signature status to aid in trust building
 	#TODO: if git and if invalid: show diff against last valid version
 	( [ -d ".${PROGRAM}" ] && ls .${PROGRAM}/*.asc >/dev/null 2>&1 ) \
 		|| die "Error: No signatures"
 	cmd_manifest
-	verify_file "${min}" .${PROGRAM}/manifest.txt
+	verify_file "${min}" "${group}" .${PROGRAM}/manifest.txt
 }
 
 cmd_add(){
@@ -143,13 +162,13 @@ cmd_add(){
 
 cmd_version() {
 	cat <<-_EOF
-	============================================
-	=  sig: simple multisig trust toolchain    =
-	=                                          =
-	=                  v0.0.1                  =
-	=                                          =
-	=     https://gitlab.com/pchq/sig          =
-	============================================
+	==========================================
+	=  sig: simple multisig trust toolchain  =
+	=                                        =
+	=                  v0.0.1                =
+	=                                        =
+	=     https://gitlab.com/pchq/sig        =
+	==========================================
 	_EOF
 }
 
@@ -157,7 +176,7 @@ cmd_usage() {
 	cmd_version
 	cat <<-_EOF
 	Usage:
-	    $PROGRAM verify
+	    $PROGRAM verify [--group=<group>,-g <group>] [--min=<N>,-m <N>]
 	        Verify all signing policies for this directory are met
 	    $PROGRAM add
 	        Add signature to manifest for this directory
@@ -170,7 +189,7 @@ cmd_usage() {
 	_EOF
 }
 
-check_tools head cut find sort sed gpg openssl
+check_tools head cut find sort sed gpg openssl getopt
 
 PROGRAM="${0##*/}"
 COMMAND="$1"
