diff --git a/src/error.rs b/src/error.rs
index 93c3a29..9a9dc4e 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -100,6 +100,9 @@ pub(crate) enum ErrorKind {
     #[error("Couldn't sign digest")]
     Signature(#[from] signature::Error),
 
+    #[error("Couldn't read signature")]
+    ReadSignature(signature::Error),
+
     #[error("Couldn't parse the signature header")]
     HeaderValidation(#[from] actix_web::http::header::InvalidHeaderValue),
 
diff --git a/src/middleware/verifier.rs b/src/middleware/verifier.rs
index 8234787..83f967a 100644
--- a/src/middleware/verifier.rs
+++ b/src/middleware/verifier.rs
@@ -113,15 +113,18 @@ async fn do_verify(
 ) -> Result<(), Error> {
     let public_key = RsaPublicKey::from_public_key_pem(public_key.trim())?;
 
+    let span = tracing::Span::current();
     web::block(move || {
-        let decoded = base64::decode(signature)?;
-        let signature = Signature::from_bytes(&decoded)?;
-        let hashed = Sha256::new_with_prefix(signing_string.as_bytes());
+        span.in_scope(|| {
+            let decoded = base64::decode(signature)?;
+            let signature = Signature::from_bytes(&decoded).map_err(ErrorKind::ReadSignature)?;
+            let hashed = Sha256::new_with_prefix(signing_string.as_bytes());
 
-        let verifying_key = VerifyingKey::new_with_prefix(public_key);
-        verifying_key.verify_digest(hashed, &signature)?;
+            let verifying_key = VerifyingKey::new_with_prefix(public_key);
+            verifying_key.verify_digest(hashed, &signature)?;
 
-        Ok(()) as Result<(), Error>
+            Ok(()) as Result<(), Error>
+        })
     })
     .await??;