diff --git a/Dockerfile b/Dockerfile
index 8c135f7..ab23fee 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,9 +33,6 @@ RUN	rmdir /etc/schroot/chroot.d && \
 # - bind mounts
 RUN	echo "/srv\t\t/srv\t\tnone\trw,bind\t\t0\t0" \
 	    >> /etc/schroot/default/fstab
-# - signing key
-RUN	sbuild-update --keygen
-
 # - aufs on tmpfs config
 ADD	schroot-04tmpfs /etc/schroot/setup.d/04tmpfs
 
diff --git a/scripts/base-config.sh b/scripts/base-config.sh
index 4e79ea7..5de6542 100644
--- a/scripts/base-config.sh
+++ b/scripts/base-config.sh
@@ -52,6 +52,7 @@ GPG_KEY_SERVER=hkp://keys.gnupg.net
 
 # Generated config directory
 CONFIG_DIR=$BASE_DIR/configs
+GNUPGHOME=$CONFIG_DIR/gpg
 
 # Scripts and configs directories
 SCRIPTS_DIR=scripts
diff --git a/scripts/debian-pkg-repo.sh b/scripts/debian-pkg-repo.sh
index 87f662e..3f801be 100644
--- a/scripts/debian-pkg-repo.sh
+++ b/scripts/debian-pkg-repo.sh
@@ -3,7 +3,6 @@ debug "    Sourcing debian-pkg-repo.sh"
 deb_repo_init() {
     REPO_DIR_ABS=$(readlink -f $REPO_DIR)
     debug "      Apt repo dir: $REPO_DIR_ABS"
-    GNUPGHOME=$CONFIG_DIR/gpg
     debug "      GPG key dir: $GNUPGHOME"
     if ! test -f $GNUPGHOME/trustdb.gpg; then
 	debug "    Setting up GPG package signing keys"
diff --git a/scripts/sbuild.sh b/scripts/sbuild.sh
index a4396e2..016e070 100644
--- a/scripts/sbuild.sh
+++ b/scripts/sbuild.sh
@@ -25,6 +25,28 @@ sbuild_chroot_init() {
     fi
 }
 
+sbuild_chroot_install_keys() {
+    if test -f /var/lib/sbuild/apt-keys/sbuild-key.sec; then
+	if test -f $GNUPGHOME/sbuild-key.sec; then
+	    debug "      (sbuild package keys installed; doing nothing)"
+	else
+	    debug "      Copying signing keys from chroot into $GNUPGHOME"
+	    mkdir -p $GNUPGHOME; chmod 700 $GNUPGHOME
+	    cp /var/lib/sbuild/apt-keys/sbuild-key.* $GNUPGHOME
+	fi
+    else
+	if ! test -f $GNUPGHOME/sbuild-key.sec; then
+	    debug "      Generating new sbuild keys"
+	    sbuild-update --keygen
+	    mkdir -p $GNUPGHOME; chmod 700 $GNUPGHOME
+	    cp /var/lib/sbuild/apt-keys/sbuild-key.* $GNUPGHOME
+	else
+	    debug "      Copying signing keys from $GNUPGHOME into chroot"
+	    cp $GNUPGHOME/sbuild-key.* /var/lib/sbuild/apt-keys
+	fi
+    fi
+}
+
 sbuild_chroot_setup() {
     msg "Creating sbuild chroot, distro $CODENAME, arch $HOST_ARCH"
     sbuild_chroot_init
@@ -47,6 +69,9 @@ sbuild_chroot_setup() {
     # FIXME
     #sbuild-adduser 1000
 
+    debug "    Setting up signing keys"
+    sbuild_chroot_install_keys
+
     # Remove default apt sources and configure new
     > $CHROOT_DIR/etc/apt/sources.list
     distro_configure_repos