diff --git a/include/libssh/pki.h b/include/libssh/pki.h
index 0f0fac5d..13cd3747 100644
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -88,6 +88,7 @@ struct ssh_signature_struct {
     struct mbedtls_ecdsa_sig ecdsa_sig;
 #endif /* HAVE_LIBGCRYPT */
     ed25519_signature *ed25519_sig;
+    ssh_string raw_sig;
 };
 
 typedef struct ssh_signature_struct *ssh_signature;
diff --git a/src/pki.c b/src/pki.c
index 9dbcd317..a8da2b93 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -629,6 +629,9 @@ void ssh_signature_free(ssh_signature sig)
             break;
     }
 
+    /* Explicitly zero the signature content before free */
+    ssh_string_burn(sig->raw_sig);
+    ssh_string_free(sig->raw_sig);
     SAFE_FREE(sig);
 }