diff --git a/tools/release.sh b/tools/release.sh
index d7dc4b6c6..9d625191e 100755
--- a/tools/release.sh
+++ b/tools/release.sh
@@ -81,21 +81,6 @@ if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then
 fi
 git checkout "$RELEASE_BRANCH"
 
-# ensure we have the latest built version of leauto
-letsencrypt-auto-source/build.py
-
-# and that it's signed correctly
-if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
-        letsencrypt-auto-source/letsencrypt-auto.sig \
-        letsencrypt-auto-source/letsencrypt-auto            ; then
-   echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH"
-   echo please fix that and re-run
-   exit 1
-else
-    echo Signature check on letsencrypt-auto successful
-fi
-
-
 SetVersion() {
     ver="$1"
     for pkg_dir in $SUBPKGS letsencrypt-compatibility-test
@@ -110,9 +95,6 @@ SetVersion() {
 }
 
 SetVersion "$version"
-git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version"
-git tag --local-user "$RELEASE_GPG_KEY" \
-    --sign --message "Release $version" "$tag"
 
 echo "Preparing sdists and wheels"
 for pkg_dir in . $SUBPKGS
@@ -175,6 +157,21 @@ for module in letsencrypt $subpkgs_modules ; do
 done
 deactivate
 
+# ensure we have the latest built version of leauto
+letsencrypt-auto-source/build.py
+
+# and that it's signed correctly
+while ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
+        letsencrypt-auto-source/letsencrypt-auto.sig \
+        letsencrypt-auto-source/letsencrypt-auto            ; do
+   read -p "Please correctly sign letsencrypt-auto with offline-signrequest.sh"
+done
+
+git diff --cached
+git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version"
+git tag --local-user "$RELEASE_GPG_KEY" \
+    --sign --message "Release $version" "$tag"
+
 cd ..
 echo Now in $PWD
 name=${root_without_le%.*}