diff --git a/NEWS b/NEWS
index 10c764e6..d200ab4f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,8 @@
 xbps-0.35 (???):
 
+ * xbps-rindex(8): fixed a bug while signing repositories in that sometimes
+   the PEM RSA public key buffer contained unwanted garbage.
+
  * Make sure that required root symlinks in void are never removed or detected
    as obsoletes; added new test cases to stress the code works as expected.
 
diff --git a/bin/xbps-rindex/sign.c b/bin/xbps-rindex/sign.c
index e6178b87..b6928f4c 100644
--- a/bin/xbps-rindex/sign.c
+++ b/bin/xbps-rindex/sign.c
@@ -71,7 +71,8 @@ static char *
 pubkey_from_privkey(RSA *rsa)
 {
 	BIO *bp;
-	char *buf;
+	char *buf = NULL;
+	int len;
 
 	bp = BIO_new(BIO_s_mem());
 	assert(bp);
@@ -85,9 +86,10 @@ pubkey_from_privkey(RSA *rsa)
 	/* XXX (xtraeme) 8192 should be always enough? */
 	buf = malloc(8192);
 	assert(buf);
-	BIO_read(bp, buf, 8192);
+	len = BIO_read(bp, buf, 8191);
 	BIO_free(bp);
 	ERR_free_strings();
+	buf[len] = '\0';
 
 	return buf;
 }
@@ -128,7 +130,7 @@ sign_repo(struct xbps_handle *xhp, const char *repodir,
 	unsigned int siglen;
 	uint16_t rpubkeysize, pubkeysize;
 	const char *arch, *pkgver, *rsignedby = NULL;
-	char *binpkg, *binpkg_sig, *buf, *defprivkey;
+	char *binpkg = NULL, *binpkg_sig = NULL, *buf = NULL, *defprivkey = NULL;
 	int binpkg_fd, binpkg_sig_fd, rv = 0;
 	bool flush = false;