diff --git a/src/lib/eet/Eet_private.h b/src/lib/eet/Eet_private.h
index b487cf82f5..c2e6702cac 100644
--- a/src/lib/eet/Eet_private.h
+++ b/src/lib/eet/Eet_private.h
@@ -334,4 +334,6 @@ void eet_mempool_shutdown(void);
 # define EET_ASSERT(Test, Do) if (Test == 0) {abort(); }
 #endif /* ifdef DNDEBUG */
 
+#define EET_MAGIC_SIGN 0x1ee74271
+
 #endif /* ifndef _EET_PRIVATE_H */
diff --git a/src/lib/eet/eet_cipher.c b/src/lib/eet/eet_cipher.c
index 65a8635929..6ccb9cc48c 100644
--- a/src/lib/eet/eet_cipher.c
+++ b/src/lib/eet/eet_cipher.c
@@ -51,8 +51,6 @@
 #include "Eet.h"
 #include "Eet_private.h"
 
-#define EET_MAGIC_SIGN 0x1ee74271
-
 #ifdef HAVE_GNUTLS
 # define MAX_KEY_LEN   32
 # define MAX_IV_LEN    16
diff --git a/src/lib/eet/eet_lib.c b/src/lib/eet/eet_lib.c
index 367c7409fd..11d07069b6 100644
--- a/src/lib/eet/eet_lib.c
+++ b/src/lib/eet/eet_lib.c
@@ -982,18 +982,36 @@ eet_internal_read2(Eet_File *ef)
 #ifdef HAVE_SIGNATURE
         const unsigned char *buffer = ((const unsigned char *)ef->data) +
           signature_base_offset;
-        ef->x509_der = eet_identity_check(ef->data,
-                                          signature_base_offset,
-                                          &ef->sha1,
-                                          &ef->sha1_length,
-                                          buffer,
-                                          ef->data_size - signature_base_offset,
-                                          &ef->signature,
-                                          &ef->signature_length,
-                                          &ef->x509_length);
+        unsigned long int sig_size = ef->data_size - signature_base_offset;
 
-        if (eet_test_close(!ef->x509_der, ef))
-          return NULL;
+        /* check that the signature is a sane size to bother even checking */
+        if (sig_size >= (3 * sizeof(int)))
+          {
+             int head[3];
+
+             /* check the signature has the magic number and sig + cert len
+              * + magic is sane */
+             memcpy(head, buffer, 3 * sizeof(int));
+             head[0] = ntohl(head[0]);
+             head[1] = ntohl(head[1]);
+             head[2] = ntohl(head[2]);
+             if ((head[0] == EET_MAGIC_SIGN) && (head[1] > 0) && (head[2] > 0))
+               {
+                  /* there appears to be an actual valid identity at the end
+                   * so now actually check it */
+                  ef->x509_der = eet_identity_check(ef->data,
+                                                    signature_base_offset,
+                                                    &ef->sha1,
+                                                    &ef->sha1_length,
+                                                    buffer,
+                                                    sig_size,
+                                                    &ef->signature,
+                                                    &ef->signature_length,
+                                                    &ef->x509_length);
+
+                  if (eet_test_close(!ef->x509_der, ef)) return NULL;
+               }
+          }
 
 #else /* ifdef HAVE_SIGNATURE */
         ERR(