diff --git a/lib/crypto/rsa/rsa2048_public.go b/lib/crypto/rsa/rsa2048_public.go
index 88d4158..9b9c978 100644
--- a/lib/crypto/rsa/rsa2048_public.go
+++ b/lib/crypto/rsa/rsa2048_public.go
@@ -30,13 +30,12 @@ func (r RSA2048PublicKey) VerifyHash(h []byte, sig []byte) error {
 	}
 
 	// For RSA2048, we use SHA-256
-	hashed := h
 	if len(h) != sha256.Size {
-		// If we received a different hash size, warn but continue
-		log.Warnf("RSA2048 verification received unexpected hash size: %d", len(h))
+		return oops.Errorf("RSA2048 verification requires SHA-256 hash (expected %d bytes, got %d)",
+			sha256.Size, len(h))
 	}
 
-	err = rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, hashed, sig)
+	err = rsa.VerifyPKCS1v15(pubKey, crypto.SHA256, h, sig)
 	if err != nil {
 		return oops.Errorf("RSA signature verification failed: %w", err)
 	}
diff --git a/lib/crypto/rsa/rsa3072_public.go b/lib/crypto/rsa/rsa3072_public.go
index e71d253..ae0388d 100644
--- a/lib/crypto/rsa/rsa3072_public.go
+++ b/lib/crypto/rsa/rsa3072_public.go
@@ -3,6 +3,7 @@ package rsa
 import (
 	"crypto"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/sha512"
 
 	"github.com/go-i2p/go-i2p/lib/crypto/types"
@@ -30,8 +31,8 @@ func (r RSA3072PublicKey) VerifyHash(h []byte, sig []byte) error {
 	// For RSA3072, SHA512 is often used
 	hashed := h
 	if len(h) != sha512.Size {
-		// If we received a different hash size, warn but continue
-		log.Warnf("RSA3072 verification received unexpected hash size: %d", len(h))
+		return oops.Errorf("RSA3072 verification requires SHA-256 hash (expected %d bytes, got %d)",
+			sha256.Size, len(h))
 	}
 
 	err = rsa.VerifyPKCS1v15(pubKey, crypto.SHA512, hashed, sig)
diff --git a/lib/crypto/rsa/rsa4096_public.go b/lib/crypto/rsa/rsa4096_public.go
index 8577e12..7067a28 100644
--- a/lib/crypto/rsa/rsa4096_public.go
+++ b/lib/crypto/rsa/rsa4096_public.go
@@ -3,6 +3,7 @@ package rsa
 import (
 	"crypto"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/sha512"
 
 	"github.com/go-i2p/go-i2p/lib/crypto/types"
@@ -35,8 +36,8 @@ func (r RSA4096PublicKey) VerifyHash(h []byte, sig []byte) error {
 	// Verify the signature using PKCS1v15
 	err = rsa.VerifyPKCS1v15(pubKey, crypto.SHA512, h, sig)
 	if err != nil {
-		log.WithError(err).Error("RSA-4096 signature verification failed")
-		return oops.Errorf("invalid RSA-4096 signature: %w", err)
+		return oops.Errorf("RSA4096 verification requires SHA-256 hash (expected %d bytes, got %d)",
+			sha256.Size, len(h))
 	}
 
 	log.Debug("RSA-4096 signature verified successfully")