diff --git a/.github/scripts/apple-signing/setup-prod.sh b/.github/scripts/apple-signing/setup-prod.sh
index a83198359..5f7bc73b3 100755
--- a/.github/scripts/apple-signing/setup-prod.sh
+++ b/.github/scripts/apple-signing/setup-prod.sh
@@ -11,6 +11,14 @@ fi
 if [ -z "$APPLE_DEVELOPER_ID_CERT_PASS" ]; then
   exit_with_error "APPLE_DEVELOPER_ID_CERT_PASS not set"
 fi
+
+if [ -z "$DOCKER_USERNAME" ]; then
+  exit_with_error "DOCKER_USERNAME not set"
+fi
+
+if [ -z "$DOCKER_PASSWORD" ]; then
+  exit_with_error "DOCKER_PASSWORD not set"
+fi
 set -u
 
 # setup_signing
@@ -42,4 +50,7 @@ setup_signing() {
   # TODO: extract this from the certificate material itself
   export MAC_SIGNING_IDENTITY="Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)"
   commentary "setting MAC_SIGNING_IDENTITY=${MAC_SIGNING_IDENTITY}"
-}
\ No newline at end of file
+
+  commentary "log into docker -- required for publishing (since the default keychain has now been replaced)"
+  echo "${DOCKER_PASSWORD}" | docker login docker.io -u "${DOCKER_USERNAME}"  --password-stdin
+}
diff --git a/Makefile b/Makefile
index cfcb71f8a..a38314d46 100644
--- a/Makefile
+++ b/Makefile
@@ -309,9 +309,6 @@ CHANGELOG.md:
 .PHONY: release
 release: clean-dist CHANGELOG.md  ## Build and publish final binaries and packages. Intended to be run only on macOS.
 	$(call title,Publishing release artifacts)
-	# login to docker
-	# note: the previous step creates a new keychain, so it is important to reauth into docker.io
-	@echo $${DOCKER_PASSWORD} | docker login docker.io -u $${DOCKER_USERNAME}  --password-stdin
 
 	# create a config with the dist dir overridden
 	echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml