diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 4a65d0b..60551bf 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -188,6 +188,26 @@ jobs:
       - name: Export Android APK
         run: godot --headless --export-debug "AndroidDebug" "releases/android/Puzzle-Quest.apk"
 
+      - name: Sign + verify APK
+        run: |
+          set -euo pipefail
+          APK="releases/android/Puzzle-Quest.apk"
+          APKSIGNER="$ANDROID_HOME/build-tools/34.0.0/apksigner"
+          # Godot 4.6 sometimes ships an unsigned APK from the headless
+          # export (sign step skips silently when its internal apksigner
+          # call can't locate java). Re-sign unconditionally — idempotent
+          # if Godot did sign, and guarantees a valid APK if it didn't.
+          "$APKSIGNER" sign \
+            --ks /tmp/debug.keystore \
+            --ks-pass pass:android \
+            --ks-key-alias androiddebugkey \
+            --key-pass pass:android \
+            --v1-signing-enabled true \
+            --v2-signing-enabled true \
+            --v3-signing-enabled true \
+            "$APK"
+          "$APKSIGNER" verify --verbose "$APK"
+
       - name: Upload artifact
         uses: actions/upload-artifact@v3
         with: