diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 2d0eeedfe..c2ec85b7c 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -27,12 +27,14 @@ jobs:
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
         run: |
           set -e
+          # Runner container persists between runs; wipe any stale gpg state
+          # so old gpg.conf / socket paths can't confuse this build.
+          rm -rf /root/.gnupg /root/repo_pass
           mkdir -m700 -p /root/.gnupg
-          printf '%s\n' "$PRIV" | gpg --batch --import
-          # echo trust so gpg doesn't complain during signing
-          echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
           printf '%s' "$PASS" > /root/repo_pass
           chmod 600 /root/repo_pass
+          printf '%s\n' "$PRIV" | gpg --batch --import
+          echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
         env: