diff --git a/mockid/mockid.go b/mockid/mockid.go
index 338bb80..559e4b1 100644
--- a/mockid/mockid.go
+++ b/mockid/mockid.go
@@ -141,7 +141,6 @@ func JOSESign(privkey keypairs.PrivateKey, hash []byte) []byte {
 // TODO: move to keypairs
 
 func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
-	var verified bool
 
 	switch pub := pubkey.Key().(type) {
 	case *rsa.PublicKey:
@@ -149,8 +148,9 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
 		//alg := "SHA256"
 		// TODO: this hasn't been tested yet
 		if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
-			verified = true
+			return false
 		}
+		return true
 	case *ecdsa.PublicKey:
 		r := &big.Int{}
 		r.SetBytes(sig[0:32])
@@ -158,12 +158,11 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
 		s.SetBytes(sig[32:])
 		fmt.Println("debug: sig len:", len(sig))
 		fmt.Println("debug: r, s:", r, s)
-		verified = ecdsa.Verify(pub, hash, r, s)
+		return ecdsa.Verify(pub, hash, r, s)
 	default:
 		panic("impossible condition: non-rsa/non-ecdsa key")
+		return false
 	}
-
-	return verified
 }
 
 func issueNonce(w http.ResponseWriter, r *http.Request) {
diff --git a/xkeypairs/sign.go b/xkeypairs/sign.go
index b4a987b..c2f4492 100644
--- a/xkeypairs/sign.go
+++ b/xkeypairs/sign.go
@@ -49,14 +49,14 @@ func SignClaims(privkey keypairs.PrivateKey, header Object, claims Object) (*JWS
 	}
 	payload64 := base64.RawURLEncoding.EncodeToString(payload)
 
-	hash := sha256.Sum256([]byte(fmt.Sprintf(
-		`%s.%s`,
-		protected64,
-		payload64,
-	)))
+	signable := fmt.Sprintf(`%s.%s`, protected64, payload64)
+	hash := sha256.Sum256([]byte(signable))
 
 	sig := Sign(randsrc, privkey, hash[:])
 	sig64 := base64.RawURLEncoding.EncodeToString(sig)
+	//log.Printf("\n(Sign)\nSignable: %s", signable)
+	//log.Printf("Hash: %s", hash)
+	//log.Printf("Sig: %s", sig64)
 
 	return &JWS{
 		Header:    header,
diff --git a/xkeypairs/verify.go b/xkeypairs/verify.go
index 28f9f68..94babfd 100644
--- a/xkeypairs/verify.go
+++ b/xkeypairs/verify.go
@@ -73,26 +73,31 @@ func VerifyClaims(pubkey keypairs.PublicKey, jws *JWS) (bool, error) {
 		fmt.Println("Security TODO: did not check jws.Claims[\"kid\"] against thumbprint")
 	}
 
-	hash := sha256.Sum256([]byte(fmt.Sprintf("%s.%s", jws.Protected, jws.Payload)))
+	signable := fmt.Sprintf("%s.%s", jws.Protected, jws.Payload)
+	hash := sha256.Sum256([]byte(signable))
 	sig, err := base64.RawURLEncoding.DecodeString(jws.Signature)
 	if nil != err {
 		return false, err
 	}
+	//log.Printf("\n(Verify)\nSignable: %s", signable)
+	//log.Printf("Hash: %s", hash)
+	//log.Printf("Sig: %s", jws.Signature)
 
 	return Verify(pub, hash[:], sig), nil
 }
 
 func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
-	var verified bool
 
 	switch pub := pubkey.Key().(type) {
 	case *rsa.PublicKey:
+		//log.Printf("RSA VERIFY")
 		// TODO keypairs.Size(key) to detect key size ?
 		//alg := "SHA256"
 		// TODO: this hasn't been tested yet
 		if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
-			verified = true
+			return false
 		}
+		return true
 	case *ecdsa.PublicKey:
 		r := &big.Int{}
 		r.SetBytes(sig[0:32])
@@ -100,12 +105,11 @@ func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
 		s.SetBytes(sig[32:])
 		fmt.Println("debug: sig len:", len(sig))
 		fmt.Println("debug: r, s:", r, s)
-		verified = ecdsa.Verify(pub, hash, r, s)
+		return ecdsa.Verify(pub, hash, r, s)
 	default:
 		panic("impossible condition: non-rsa/non-ecdsa key")
+		return false
 	}
-
-	return verified
 }
 
 const maxRetry = 16