diff --git a/src/upload.ts b/src/upload.ts
index 7fd090433918d95d21c318e8ebbcf6a239c6cf3f..c48e73cf4af8d4a7335fad9e6909bfa5b75d7da6 100644
--- a/src/upload.ts
+++ b/src/upload.ts
@@ -231,22 +231,29 @@ export async function uploadCsHandler(ctx: KoaContext) {
         .update(fileData)
         .digest()
 
-        // extra check if client manges to lie about the content-length
+    // extra check if client manages to lie about the content-length
     APIError.assert((file.stream as any).truncated !== true,
         APIError.Code.PayloadTooLarge)
 
-    const imageHash = createHash('sha256')
+    // Expecting the signature to be based on the integrity checksum of the image
+    const expectedSignature = createHash('sha256')
         .update('ImageSigningChallenge')
         .update(fileHash)
         .digest()
 
+    // Used to generate the image storage key
+    const imageHash = createHash('sha256')
+        .update('ImageSigningChallenge')
+        .update(fileData)
+        .digest()
+
     const [account] = await rpcClient.database.getAccounts([ctx.params['username']])
     APIError.assert(account, APIError.Code.NoSuchAccount)
 
     let validSignature = false
     let publicKey
     try {
-        publicKey = signature.recover(imageHash).toString()
+        publicKey = signature.recover(expectedSignature).toString()
     } catch (cause) {
         throw new APIError({code: APIError.Code.InvalidSignature, cause})
     }