diff --git a/actions/build-stm32/Dockerfile b/actions/build-stm32/Dockerfile
index cdff79e..f720b85 100644
--- a/actions/build-stm32/Dockerfile
+++ b/actions/build-stm32/Dockerfile
@@ -3,7 +3,7 @@ FROM xanderhendriks/stm32cubeide:15.0
 
 # Tools your script needs
 RUN apt-get -y update && \
-    apt-get -y install curl python3 python3-pycryptodome python3-ecdsa python3-pyelftools python3-numpy python3-cryptography python3-intelhex git srecord ca-certificates bear cppcheck jq \
+    apt-get -y install curl python3 python3-venv python3-pip python3-pycryptodome python3-ecdsa python3-pyelftools python3-numpy python3-cryptography python3-intelhex git srecord ca-certificates bear cppcheck jq \
     && ln -s $(which python3) /usr/bin/python \
     && rm -rf /var/lib/apt/lists/*
 
diff --git a/actions/sign-firmware/run.sh b/actions/sign-firmware/run.sh
index eae8a02..a10ba4a 100755
--- a/actions/sign-firmware/run.sh
+++ b/actions/sign-firmware/run.sh
@@ -16,11 +16,28 @@ if python3 -c "import cryptography, intelhex" 2>/dev/null; then
 fi
 
 VENV="$SCRIPT_DIR/.venv"
-if [ ! -x "$VENV/bin/python" ]; then
+VENV_PY="$VENV/bin/python"
+if [ -x "$VENV_PY" ] && "$VENV_PY" -c "import cryptography, intelhex" 2>/dev/null; then
+    exec "$VENV_PY" "$SCRIPT_DIR/sign_firmware.py" "$@"
+fi
+
+if [ ! -x "$VENV_PY" ] || ! "$VENV_PY" -c "import cryptography, intelhex" 2>/dev/null; then
     echo "sign-firmware: bootstrapping venv at $VENV (one-time)" >&2
-    python3 -m venv "$VENV"
-    "$VENV/bin/pip" install --quiet --upgrade pip
-    "$VENV/bin/pip" install --quiet "cryptography>=41" "intelhex>=2.3"
+    rm -rf "$VENV"
+    if ! python3 -m venv "$VENV"; then
+        if [ "$(id -u)" = "0" ] && command -v apt-get >/dev/null 2>&1; then
+            echo "sign-firmware: installing python3-venv in container" >&2
+            apt-get update
+            apt-get install -y python3-venv python3-pip
+            rm -rf "$VENV"
+            python3 -m venv "$VENV"
+        else
+            echo "sign-firmware: python3 venv support is unavailable; install python3-venv" >&2
+            exit 1
+        fi
+    fi
+    "$VENV_PY" -m pip install --quiet --upgrade pip
+    "$VENV_PY" -m pip install --quiet "cryptography>=41" "intelhex>=2.3"
 fi
 
-exec "$VENV/bin/python" "$SCRIPT_DIR/sign_firmware.py" "$@"
+exec "$VENV_PY" "$SCRIPT_DIR/sign_firmware.py" "$@"