diff --git a/lib/jws/sign.js b/lib/jws/sign.js
index afbb3f7a..d809fd59 100644
--- a/lib/jws/sign.js
+++ b/lib/jws/sign.js
@@ -87,26 +87,21 @@ class Sign {
     recipient.header = unprotectedHeader
     recipient.protected = Object.keys(joseHeader.protected).length ? base64url.JSON.encode(joseHeader.protected) : ''
 
-    let toBeSigned
-    if (joseHeader.protected.crit && joseHeader.protected.crit.includes('b64')) {
-      if (first && !joseHeader.protected.b64) {
-        if (this._binary) {
-          this._payload = base64url.decodeToBuffer(this._payload)
-        } else {
-          this._payload = base64url.decode(this._payload)
-        }
+    if (first && joseHeader.protected.crit && joseHeader.protected.crit.includes('b64') && joseHeader.protected.b64 === false) {
+      if (this._binary) {
+        this._payload = base64url.decodeToBuffer(this._payload)
+      } else {
+        this._payload = base64url.decode(this._payload)
       }
-
-      toBeSigned = Buffer.concat([
-        Buffer.from(recipient.protected || ''),
-        Buffer.from('.'),
-        Buffer.isBuffer(this._payload) ? this._payload : Buffer.from(this._payload)
-      ])
-    } else {
-      toBeSigned = `${recipient.protected || ''}.${this._payload}`
     }
 
-    recipient.signature = base64url.encodeBuffer(sign(alg, key, toBeSigned))
+    const data = Buffer.concat([
+      Buffer.from(recipient.protected || ''),
+      Buffer.from('.'),
+      Buffer.from(this._payload)
+    ])
+
+    recipient.signature = base64url.encodeBuffer(sign(alg, key, data))
   }
 
   /*