diff --git a/pesign-obs-integration.changes b/pesign-obs-integration.changes
index b1881e0..e658b12 100644
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Feb 12 15:42:22 CET 2013 - mls@suse.de
+
+- reduce debugging as pesign is now fixed
+
+-------------------------------------------------------------------
+Tue Feb 12 12:33:41 CET 2013 - mls@suse.de
+
+- add a bit of debug output to find out why the kernel signatures
+  are bad
+
 -------------------------------------------------------------------
 Wed Feb  6 13:24:14 CET 2013 - mls@suse.de
 
diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec
index 1829d39..6050119 100644
--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@@ -16,6 +16,8 @@
 #
 
 
+# needssslcertforbuild
+
 Name:           pesign-obs-integration
 Summary:        Macros and scripts to sign the kernel and bootloader
 License:        GPL-2.0
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index eae28c2..ee5a692 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -99,9 +99,15 @@ for sig in "${sigs[@]}"; do
 		infile=${sig%.sig}
 		cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
 		test -s ${infile}.sattrs || exit 1
+		ohash=$(pesign -n "$nss_db" -h -i "$f")
 		pesign -n "$nss_db" -c cert -i "$f" -o "$f.tmp" -d sha256 -I "${infile}.sattrs" -R "$sig"
 		rm -f "${infile}.sattrs"
 		mv "$f.tmp" "$f"
+		nhash=$(pesign -n "$nss_db" -h -i "$f")
+		if test "$ohash" != "$nhash" ; then
+		    echo "hash mismatch error: $ohash $nhash"
+		    exit 1
+		fi
 		;;
 	*)
 		echo "Warning: unhandled signature: $sig" >&2