diff --git a/build b/build
index ac900e6..ef1d40c 100755
--- a/build
+++ b/build
@@ -911,11 +911,23 @@ if [ "$RELEASE_CHANNEL" = "stable" ]; then
     # Source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env if it
     # isn't already in env. Mirrors ~/.bashrc's auto-sourcing pattern
     # for ~/.config/{codeberg,forgejo,github}/env, but inside the
-    # build script so non-interactive callers (Forgejo runner daemon,
-    # cron, etc.) pick it up without needing systemd EnvironmentFile
-    # or workflow yaml.
-    if [ -z "${ZDDC_SIGNING_KEY:-}" ] && [ -f "$HOME/.config/zddc-signing/env" ]; then
-        . "$HOME/.config/zddc-signing/env"
+    # build script so non-interactive callers pick it up without
+    # needing systemd EnvironmentFile or workflow yaml.
+    #
+    # Two candidates: $HOME first (operator's normal shell), then
+    # /home/user as an explicit fallback for the Forgejo runner
+    # container — $HOME there is /var/lib/forgejo-runner (uid 1001's
+    # in-container passwd entry), but the runner quadlet bind-mounts
+    # /home/user/.config/zddc-signing/ at the same absolute path so
+    # the operator's single source of truth is visible to the runner.
+    if [ -z "${ZDDC_SIGNING_KEY:-}" ]; then
+        for _zsk_env in "$HOME/.config/zddc-signing/env" /home/user/.config/zddc-signing/env; do
+            if [ -f "$_zsk_env" ]; then
+                . "$_zsk_env"
+                break
+            fi
+        done
+        unset _zsk_env
     fi
     echo ""
     echo "=== Signing release artifacts ==="