diff --git a/ed448-goldilocks/src/sign/verifying_key.rs b/ed448-goldilocks/src/sign/verifying_key.rs
index 97933309f..d92343685 100644
--- a/ed448-goldilocks/src/sign/verifying_key.rs
+++ b/ed448-goldilocks/src/sign/verifying_key.rs
@@ -281,7 +281,8 @@ impl VerifyingKey {
 
         // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k
         let mut bytes = WideEdwardsScalarBytes::default();
-        let ctx_len = ctx.len() as u8;
+        // RFC 8032 mandates context length <= 255 bytes. Enforce consistently with signing path.
+        let ctx_len = u8::try_from(ctx.len()).map_err(|_| SigningError::PrehashedContextLength)?;
         let mut reader = Shake256::default()
             .chain(HASH_HEAD)
             .chain([phflag])