diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index 1357857c5..0648bea0c 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -509,13 +509,12 @@ grub_verify_signature_init (struct grub_pubkey_context *ctxt, grub_file_t sig)
 
   grub_dprintf ("crypt", "alive\n");
 
-  ctxt->sig = sig;
-
   ctxt->hash_context = grub_zalloc (ctxt->hash->contextsize);
   if (!ctxt->hash_context)
     return grub_errno;
 
   ctxt->hash->init (ctxt->hash_context);
+  ctxt->sig = sig;
 
   return GRUB_ERR_NONE;
 }
@@ -698,16 +697,26 @@ grub_pubkey_close (void *ctxt)
 }
 
 grub_err_t
-grub_verify_signature (grub_file_t f, grub_file_t sig,
+grub_verify_signature (grub_file_t f, const char *fsig,
 		       struct grub_public_key *pkey)
 {
+  grub_file_t sig;
   grub_err_t err;
   struct grub_pubkey_context ctxt;
   grub_uint8_t *readbuf = NULL;
 
+  sig = grub_file_open (fsig,
+			GRUB_FILE_TYPE_SIGNATURE
+			| GRUB_FILE_TYPE_NO_DECOMPRESS);
+  if (!sig)
+    return grub_errno;
+
   err = grub_verify_signature_init (&ctxt, sig);
   if (err)
-    return err;
+    {
+      grub_file_close (sig);
+      return err;
+    }
 
   readbuf = grub_zalloc (READBUF_SIZE);
   if (!readbuf)
@@ -879,7 +888,7 @@ static grub_err_t
 grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
 			   int argc, char **args)
 {
-  grub_file_t f = NULL, sig = NULL;
+  grub_file_t f = NULL;
   grub_err_t err = GRUB_ERR_NONE;
   struct grub_public_key *pk = NULL;
 
@@ -917,19 +926,8 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
       goto fail;
     }
 
-  sig = grub_file_open (args[1],
-			GRUB_FILE_TYPE_SIGNATURE
-			| GRUB_FILE_TYPE_NO_DECOMPRESS);
-  if (!sig)
-    {
-      err = grub_errno;
-      goto fail;
-    }
-
-  err = grub_verify_signature (f, sig, pk);
+  err = grub_verify_signature (f, args[1], pk);
  fail:
-  if (sig)
-    grub_file_close (sig);
   if (f)
     grub_file_close (f);
   if (pk)
@@ -974,7 +972,8 @@ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unuse
   err = grub_verify_signature_init (ctxt, sig);
   if (err)
     {
-      grub_pubkey_close (ctxt);
+      grub_free (ctxt);
+      grub_file_close (sig);
       return err;
     }
   *context = ctxt;
diff --git a/include/grub/pubkey.h b/include/grub/pubkey.h
index 4a9d04b43..fb8be9cbb 100644
--- a/include/grub/pubkey.h
+++ b/include/grub/pubkey.h
@@ -25,7 +25,7 @@ struct grub_public_key *
 grub_load_public_key (grub_file_t f);
 
 grub_err_t
-grub_verify_signature (grub_file_t f, grub_file_t sig,
+grub_verify_signature (grub_file_t f, const char *fsig,
 		       struct grub_public_key *pk);