diff --git a/.gitea/workflows/build-host-agent.yml b/.gitea/workflows/build-host-agent.yml
index be506a0..4cfc3a4 100644
--- a/.gitea/workflows/build-host-agent.yml
+++ b/.gitea/workflows/build-host-agent.yml
@@ -75,12 +75,17 @@ jobs:
             echo "::error::MINISIGN_SECRET_KEY secret is not set — refusing to publish unsigned agent artifacts."
             exit 1
           fi
-          apt-get install -y -qq minisign
+          # minisign isn't packaged for bullseye — fetch the official static binary.
+          curl -sSL https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12-linux.tar.gz -o /tmp/minisign.tgz
+          tar -xzf /tmp/minisign.tgz -C /tmp
+          MINISIGN="$(find /tmp -type f -name minisign -path '*linux*' | head -1)"
+          chmod +x "$MINISIGN"
+          "$MINISIGN" -v
           printf '%s\n' "$MINISIGN_SECRET_KEY" > /tmp/sign.key
           cd corrosion-host-agent/bin
           # Passwordless key (-W generated); feed empty stdin so it never blocks.
           for f in corrosion-host-agent-linux-amd64 corrosion-host-agent-windows-amd64.exe checksums.txt; do
-            minisign -S -s /tmp/sign.key -m "$f" -x "$f.minisig" < /dev/null
+            "$MINISIGN" -S -s /tmp/sign.key -m "$f" -x "$f.minisig" < /dev/null
           done
           rm -f /tmp/sign.key
           echo "signed: $(ls *.minisig)"
diff --git a/corrosion-host-agent/Cargo.toml b/corrosion-host-agent/Cargo.toml
index 8ba51b4..8f6d71b 100644
--- a/corrosion-host-agent/Cargo.toml
+++ b/corrosion-host-agent/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "corrosion-host-agent"
-version = "2.0.0-alpha.6"
+version = "2.0.0-alpha.7"
 edition = "2021"
 description = "Corrosion Host Agent — multi-game ops runtime for self-hosted game servers"
 license = "UNLICENSED"