diff --git a/src/crypto-batch.js b/src/crypto-batch.js
index 05342af..77f4edb 100644
--- a/src/crypto-batch.js
+++ b/src/crypto-batch.js
@@ -30,12 +30,12 @@
             throw new Error('Arguments missing!');
         }
 
-        // encrypt a list of items
-        self.encryptList(list);
-
         // set sender private key
         self._rsa.init(null, senderPrivkey.privateKey);
 
+        // encrypt a list of items
+        self.encryptList(list);
+
         list.forEach(function(i) {
             // fetch correct public key for encryption
             receiverPk = null;
@@ -71,7 +71,7 @@
         // set sender's keypair id for later verification
         i.senderPk = senderKeyId;
         // sign the bundle
-        i.signature = self._rsa.sign([i.iv, i.ciphertext]);
+        i.signature = self._rsa.sign([i.iv, i.key, i.ciphertext]);
 
         // delete plaintext values
         delete i.key;
@@ -155,12 +155,13 @@
         // set rsa public key used to verify
         self._rsa.init(senderPubkey);
 
+        // decrypt symmetric item key for user
+        i.key = self._rsa.decrypt(i.encryptedKey);
+
         // verify signature
-        if (!self._rsa.verify([i.iv, i.ciphertext], i.signature)) {
+        if (!self._rsa.verify([i.iv, i.key, i.ciphertext], i.signature)) {
             throw new Error('Verifying RSA signature failed!');
         }
-        // decrypt symmetric item key for user
-        i.key = self._rsa.decrypt(i.encryptedKey);
 
         // delete ciphertext values
         delete i.signature;