diff --git a/core/java/src/net/i2p/data/SigningPublicKey.java b/core/java/src/net/i2p/data/SigningPublicKey.java
index 1234d1b703..2c28e3b241 100644
--- a/core/java/src/net/i2p/data/SigningPublicKey.java
+++ b/core/java/src/net/i2p/data/SigningPublicKey.java
@@ -132,10 +132,20 @@ public class SigningPublicKey extends SimpleDataStructure {
         if (newType == null)
             return new SigningPublicKey(null, _data);
         int newLen = newType.getPubkeyLen();
-        if (newLen == SigType.DSA_SHA1.getPubkeyLen())
+        int ctype = kcert.getCryptoTypeCode();
+        if (ctype == 0) {
+            // prohibit excess key data
+            // TODO non-zero crypto type if added
+            int sz = 7;
+            if (newLen > KEYSIZE_BYTES)
+                sz += newLen - KEYSIZE_BYTES;
+            if (kcert.size() != sz)
+                throw new IllegalArgumentException("Excess data in key certificate");
+        }
+        if (newLen == KEYSIZE_BYTES)
             return new SigningPublicKey(newType, _data);
         byte[] newData = new byte[newLen];
-        if (newLen < SigType.DSA_SHA1.getPubkeyLen()) {
+        if (newLen < KEYSIZE_BYTES) {
             // right-justified
             System.arraycopy(_data, _data.length - newLen, newData, 0, newLen);
         } else {
@@ -163,9 +173,9 @@ public class SigningPublicKey extends SimpleDataStructure {
         if (_type != SigType.DSA_SHA1)
             throw new IllegalStateException("Cannot convert " + _type + " to " + newType);
         int newLen = newType.getPubkeyLen();
-        if (newLen >= SigType.DSA_SHA1.getPubkeyLen())
+        if (newLen >= KEYSIZE_BYTES)
             return null;
-        int padLen = SigType.DSA_SHA1.getPubkeyLen() - newLen;
+        int padLen = KEYSIZE_BYTES - newLen;
         byte[] pad = new byte[padLen];
         System.arraycopy(_data, 0, pad, 0, padLen);
         return pad;
diff --git a/history.txt b/history.txt
index 795ac68db6..cf5565d90f 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,8 @@
+2017-09-02 zzz
+ * Data: Prohibit excess key data in certs (ticket #2035)
+ * i2psnark: New open trackers
+ * Startup: Add property to disable output redirect (ticket #2037)
+
 2017-08-26 str4d
  * Console (light):
    - Sidebar Restart/Shutdown buttons:
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 87e5bffca0..282c18b422 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 1;
+    public final static long BUILD = 2;
 
     /** for example "-test" */
     public final static String EXTRA = "";