diff --git a/activitypub.py b/activitypub.py
index 1a8250a..13fbe0f 100644
--- a/activitypub.py
+++ b/activitypub.py
@@ -143,12 +143,13 @@ class ActivityPub(Protocol):
         Logs details of the result. Raises :class:`werkzeug.HTTPError` if the
         signature is missing or invalid, otherwise does nothing and returns None.
         """
-        sig = request.headers.get('Signature')
+        headers = dict(request.headers)  # copy so we can modify below
+        sig = headers.get('Signature')
         if not sig:
             error('No HTTP Signature', status=401)
 
         logger.info('Verifying HTTP Signature')
-        logger.info(f'Headers: {json_dumps(dict(request.headers), indent=2)}')
+        logger.info(f'Headers: {json_dumps(headers, indent=2)}')
 
         # parse_signature_header lower-cases all keys
         sig_fields = parse_signature_header(sig)
@@ -156,13 +157,18 @@ class ActivityPub(Protocol):
         if not keyId:
             error('HTTP Signature missing keyId', status=401)
 
-        # TODO: right now, assume hs2019 is rsa-sha256 🤷
+        # TODO: right now, assume hs2019 is rsa-sha256. the real answer is...
+        # ...complicated and unclear. 🤷
         # https://github.com/snarfed/bridgy-fed/issues/430#issuecomment-1510462267
         # https://arewehs2019yet.vpzom.click/
+        # https://socialhub.activitypub.rocks/t/state-of-http-signatures/754/23
+        # https://socialhub.activitypub.rocks/t/http-signatures-libraray/2087/2
+        # https://github.com/mastodon/mastodon/pull/14556
         if sig_fields.get('algorithm') == 'hs2019':
-            sig_fields['algorithm'] = 'rsa-sha256'
+            headers['Signature'] = headers['Signature'].replace(
+                'algorithm="hs2019"', 'algorithm=rsa-sha256')
 
-        digest = request.headers.get('Digest') or ''
+        digest = headers.get('Digest') or ''
         if not digest:
             error('Missing Digest header, required for HTTP Signature', status=401)
 
@@ -188,7 +194,7 @@ class ActivityPub(Protocol):
         key = key_actor.as2.get("publicKey", {}).get('publicKeyPem')
         logger.info(f'Verifying signature for {request.path} with key {key}')
         try:
-            verified = HeaderVerifier(request.headers, key,
+            verified = HeaderVerifier(headers, key,
                                       required_headers=['Digest'],
                                       method=request.method,
                                       path=request.path,