diff --git a/python/.changelog.d/2745.changed b/python/.changelog.d/2745.changed
new file mode 100644
index 000000000..8d30b7eef
--- /dev/null
+++ b/python/.changelog.d/2745.changed
@@ -0,0 +1 @@
+`trezorctl firmware verify` changed order of checks - fingerprint is validated before signatures.
diff --git a/python/src/trezorlib/cli/firmware.py b/python/src/trezorlib/cli/firmware.py
index 189d59504..6c0b94e96 100644
--- a/python/src/trezorlib/cli/firmware.py
+++ b/python/src/trezorlib/cli/firmware.py
@@ -351,8 +351,8 @@ def validate_firmware(
         sys.exit(2)
 
     print_firmware_version(fw)
-    validate_signatures(fw)
     validate_fingerprint(fw, fingerprint)
+    validate_signatures(fw)
 
     if bootloader_onev2 is not None and trezor_major_version is not None:
         check_device_match(