diff --git a/src/hockeypuck/hkp/handler.go b/src/hockeypuck/hkp/handler.go
index 23f6c7d9..242f0368 100644
--- a/src/hockeypuck/hkp/handler.go
+++ b/src/hockeypuck/hkp/handler.go
@@ -356,15 +356,7 @@ func (h *Handler) get(w http.ResponseWriter, l *Lookup) {
 
 	// Drop malformed packets, since these break GPG imports.
 	for _, key := range keys {
-		var others []*openpgp.Packet
-		for _, other := range key.Others {
-			if other.Malformed {
-				log.Debugf("get %q: ignoring malformed packet", l.Search)
-				continue
-			}
-			others = append(others, other)
-		}
-		key.Others = others
+		openpgp.DropMalformed(key)
 	}
 
 	w.Header().Set("Content-Type", "application/pgp-keys")
@@ -491,7 +483,12 @@ func (h *Handler) Add(w http.ResponseWriter, r *http.Request, _ httprouter.Param
 		return
 	}
 	for _, key := range keys {
-		err := openpgp.DropDuplicates(key)
+		err := openpgp.DropMalformed(key)
+		if err != nil {
+			httpError(w, http.StatusInternalServerError, errors.WithStack(err))
+			return
+		}
+		err = openpgp.DropDuplicates(key)
 		if err != nil {
 			httpError(w, http.StatusInternalServerError, errors.WithStack(err))
 			return
@@ -564,7 +561,12 @@ func (h *Handler) Replace(w http.ResponseWriter, r *http.Request, _ httprouter.P
 		if signingFp != key.Fingerprint() {
 			continue
 		}
-		err := openpgp.DropDuplicates(key)
+		err := openpgp.DropMalformed(key)
+		if err != nil {
+			httpError(w, http.StatusInternalServerError, errors.WithStack(err))
+			return
+		}
+		err = openpgp.DropDuplicates(key)
 		if err != nil {
 			httpError(w, http.StatusInternalServerError, errors.WithStack(err))
 			return
diff --git a/src/hockeypuck/hkp/sks/recon.go b/src/hockeypuck/hkp/sks/recon.go
index de3e54cd..50d72354 100644
--- a/src/hockeypuck/hkp/sks/recon.go
+++ b/src/hockeypuck/hkp/sks/recon.go
@@ -452,7 +452,11 @@ func (r *Peer) upsertKeys(rcvr *recon.Recover, buf []byte) (*upsertResult, error
 	}
 	result := &upsertResult{}
 	for _, key := range keys {
-		err := openpgp.DropDuplicates(key)
+		err := openpgp.DropMalformed(key)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+		err = openpgp.DropDuplicates(key)
 		if err != nil {
 			return nil, errors.WithStack(err)
 		}
diff --git a/src/hockeypuck/openpgp/cmd/hashcmp/main.go b/src/hockeypuck/openpgp/cmd/hashcmp/main.go
index caf75a90..a8909702 100644
--- a/src/hockeypuck/openpgp/cmd/hashcmp/main.go
+++ b/src/hockeypuck/openpgp/cmd/hashcmp/main.go
@@ -47,6 +47,10 @@ func testKeyring(opkr *openpgp.OpaqueKeyring) (int, int, error) {
 		return 0, 0, errors.WithStack(err)
 	}
 
+	err = openpgp.DropMalformed(pk)
+	if err != nil {
+		return 0, 0, errors.WithStack(err)
+	}
 	err = openpgp.DropDuplicates(pk)
 	if err != nil {
 		return 0, 0, errors.WithStack(err)
diff --git a/src/hockeypuck/openpgp/resolve.go b/src/hockeypuck/openpgp/resolve.go
index 2da1fa05..c37bfe5f 100644
--- a/src/hockeypuck/openpgp/resolve.go
+++ b/src/hockeypuck/openpgp/resolve.go
@@ -97,6 +97,17 @@ func ValidSelfSigned(key *PrimaryKey, selfSignedOnly bool) error {
 	return key.updateMD5()
 }
 
+func DropMalformed(key *PrimaryKey) error {
+	var others []*Packet
+	for _, other := range key.Others {
+		if !other.Malformed {
+			others = append(others, other)
+		}
+	}
+	key.Others = others
+	return key.updateMD5()
+}
+
 func DropDuplicates(key *PrimaryKey) error {
 	err := dedup(key, nil)
 	if err != nil {