diff --git a/Dockerfile b/Dockerfile
index 05917dc..daae3cd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -58,6 +58,7 @@ ARG MODE=packages
 ARG PACKAGE_FILE=default
 ARG UBUNTU_RELEASE=xenial
 ARG UPSTREAM_URL="http://archive.ubuntu.com/ubuntu/"
+ARG UPSTREAM_KEY_URL=""
 ARG COMPONENTS="main universe"
 ARG REPOS="${UBUNTU_RELEASE} ${UBUNTU_RELEASE}-updates ${UBUNTU_RELEASE}-security"
 
@@ -69,6 +70,7 @@ ENV MODE ${MODE}
 ENV PACKAGE_FILE=${PACKAGE_FILE}
 ENV UBUNTU_RELEASE=${UBUNTU_RELEASE}
 ENV UPSTREAM_URL=${UPSTREAM_URL}
+ENV UPSTREAM_KEY_URL=${UPSTREAM_KEY_URL}
 ENV COMPONENTS=${COMPONENTS}
 ENV REPOS=${REPOS}
 
diff --git a/Makefile b/Makefile
index d7e5b12..fed63d5 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,11 @@ UBUNTU_BASE_IMAGE          ?= ubuntu:16.04
 
 IMAGE:=${DOCKER_REGISTRY}/${IMAGE_PREFIX}/$(IMAGE_NAME):${IMAGE_TAG}
 
-CHART                       := charts/mini-mirror
+CHART                      := charts/mini-mirror
+
+UPSTREAM_URL               ?= http://archive.ubuntu.com/ubuntu/
+UPSTREAM_KEY_URL           ?=
+COMPONENTS                 ?= main
 
 .PHONY: validate
 validate: lint test
@@ -78,13 +82,21 @@ ifeq ($(USE_PROXY), true)
 		--build-arg HTTP_PROXY=$(PROXY) \
 		--build-arg HTTPS_PROXY=$(PROXY) \
 		--build-arg no_proxy=$(NO_PROXY) \
-		--build-arg NO_PROXY=$(NO_PROXY) .
+		--build-arg NO_PROXY=$(NO_PROXY) \
+		--build-arg UPSTREAM_URL=$(UPSTREAM_URL) \
+		--build-arg UPSTREAM_KEY_URL=$(UPSTREAM_KEY_URL) \
+		--build-arg COMPONENTS=$(COMPONENTS) \
+		.
 else
 	docker build --network host -t $(IMAGE) \
 		--label "org.opencontainers.image.revision=$(COMMIT)" \
 		--label "org.opencontainers.image.created=$(shell date --rfc-3339=seconds --utc)" \
 		--label "org.opencontainers.image.title=$(IMAGE_NAME)" \
-		-f Dockerfile .
+		-f Dockerfile \
+		--build-arg UPSTREAM_URL=$(UPSTREAM_URL) \
+		--build-arg UPSTREAM_KEY_URL=$(UPSTREAM_KEY_URL) \
+		--build-arg COMPONENTS=$(COMPONENTS) \
+		.
 endif
 ifeq ($(PUSH_IMAGE), true)
 	docker push $(IMAGE)
diff --git a/assets/startup.sh b/assets/startup.sh
index fe2543f..47d279d 100755
--- a/assets/startup.sh
+++ b/assets/startup.sh
@@ -46,6 +46,11 @@ if [[ -f /usr/share/keyrings/debian-archive-keyring.gpg ]]; then
       --import
 fi
 
+if [ ! -z "$UPSTREAM_KEY_URL" ]; then
+    wget -O -  "$UPSTREAM_KEY_URL" | gpg --no-default-keyring \
+        --keyring trustedkeys.gpg --import
+fi
+
 # Aptly looks in /root/.gnupg for default keyrings
 ln -sf /opt/aptly/aptly.sec /root/.gnupg/secring.gpg
 ln -sf /opt/aptly/aptly.pub /root/.gnupg/pubring.gpg