diff --git a/rhizome_bundle.c b/rhizome_bundle.c
index 4082cdbf..1a4563d9 100644
--- a/rhizome_bundle.c
+++ b/rhizome_bundle.c
@@ -382,6 +382,7 @@ int rhizome_manifest_verify(rhizome_manifest *m)
   assert(m->manifest_body_bytes > 0);
   assert(m->manifest_all_bytes > 0);
   assert(m->manifest_body_bytes <= m->manifest_all_bytes);
+  assert(m->sig_count == 0);
   if (m->manifest_body_bytes == m->manifest_all_bytes)
     assert(m->manifestdata[m->manifest_body_bytes - 1] == '\0');
   // Hash the body
diff --git a/rhizome_crypto.c b/rhizome_crypto.c
index 476e8005..efb2f640 100644
--- a/rhizome_crypto.c
+++ b/rhizome_crypto.c
@@ -507,6 +507,7 @@ int rhizome_manifest_extract_signature(rhizome_manifest *m, unsigned *ofs)
   if (*ofs + len > m->manifest_all_bytes) {
     WARNF("Invalid signature at offset %u: type=%#02x gives len=%u that overruns manifest size",
 	*ofs, sigType, len);
+    *ofs = m->manifest_all_bytes;
     RETURN(1);
   }
   *ofs += len;