diff --git a/margfools b/margfools
index 0d4ca07..5b70fd4 100755
--- a/margfools
+++ b/margfools
@@ -36,7 +36,7 @@ def sign(b64data, key, pin=None, engine=None):
 
     p = subprocess.run(cmd, env=env, input=data, capture_output=True)
     if p.returncode != 0:
-        raise RuntimeError('could not sign data')
+        raise Exception(f'could not sign data: {p.stderr.decode()}')
 
     return base64.b64encode(p.stdout).decode()
 
@@ -64,15 +64,13 @@ if __name__ == '__main__':
         if not args.cert:
             args.cert = config.get(url, 'cert', fallback=None)
         if not args.key:
-            print('key not specified', file=sys.stderr)
-            sys.exit(1)
+            raise Exception('key not specified')
 
         pin = None
 
         if args.engine is None:
             if not args.cert:
-                print('certificate not specified', file=sys.stderr)
-                sys.exit(1)
+                raise Exception('certificate not specified')
             args.cert = ''.join(line.strip() for line in open(args.cert) if not line.startswith('-----'))
         elif args.engine == 'pkcs11':
             args.cert = base64.b64encode(subprocess.run(['pkcs11-tool', '--read-object', '--type', 'cert', '--id', args.key], capture_output=True).stdout).decode()
@@ -110,5 +108,5 @@ if __name__ == '__main__':
             request |= json.loads(r.text)
 
     except Exception as ex:
-        print(ex, file=sys.stderr)
+        print(f'error: {ex}', file=sys.stderr)
         input('press enter to exit') # don’t close terminal immediately on fail