diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenPsoSignTokenOp.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenPsoSignTokenOp.java
index 71bee4638..a692f28cc 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenPsoSignTokenOp.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/SecurityTokenPsoSignTokenOp.java
@@ -145,6 +145,13 @@ public class SecurityTokenPsoSignTokenOp {
             if (bs[0] == 0x00 && (bs[1] & 0x80) == 0) {
                 bs = Arrays.copyOfRange(bs, 1, bs.length);
             }
+            // prepend a zero if the MPI value (i.e. high bit of first byte) is negative
+            if (br[0] < 0) {
+                br = Arrays.prepend(br, (byte) 0);
+            }
+            if (bs[0] < 0) {
+                bs = Arrays.prepend(bs, (byte) 0);
+            }
             ByteArrayOutputStream baos = new ByteArrayOutputStream();
             ASN1OutputStream out = ASN1OutputStream.create(baos);
             out.writeObject(new DERSequence(new ASN1Encodable[]{new ASN1Integer(br), new ASN1Integer(bs)}));