diff --git a/sogo/.dockerignore b/sogo/.dockerignore
index 72e8ffc0db8aad71a934dd11e5968bd5109e54b4..c42863bd1cbef4c2e72f61f1155896480781e311 100644
--- a/sogo/.dockerignore
+++ b/sogo/.dockerignore
@@ -1 +1,2 @@
 *
+!inverse.sources
diff --git a/sogo/Dockerfile b/sogo/Dockerfile
index e8b6852e660a7f4235290abd2ad43f653def482f..e6f8e3aa23e041c2b71801e5b155f39c28a9812b 100644
--- a/sogo/Dockerfile
+++ b/sogo/Dockerfile
@@ -1,14 +1,29 @@
+FROM registry.hub.docker.com/library/debian:buster-slim as repo-key
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        gnupg \
+    && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
+WORKDIR /gnupghome
+ENV GNUPGHOME /gnupghome
+RUN gpg --keyserver hkp://keys.gnupg.net --recv-key 0x810273C4 && \
+    gpg --output inverse.gpg --export-options=export-minimal --export 0x810273C4
+
 FROM registry.hub.docker.com/library/debian:buster-slim
 # hadolint ignore=DL3008
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         apt-transport-https \
         ca-certificates \
-        gnupg \
     && \
-    apt-key adv --keyserver hkp://keys.gnupg.net --recv-key 0x810273C4 && \
-    echo 'deb https://packages.inverse.ca/SOGo/nightly/5/debian/ buster buster' > /etc/apt/sources.list.d/sogo.list && \
-    apt-get update && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
+COPY --from=repo-key /gnupghome/inverse.gpg /usr/share/keyrings/
+COPY inverse.sources /etc/apt/sources.list.d/
+# hadolint ignore=DL3008
+RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         sogo-activesync \
         sogo \
diff --git a/sogo/inverse.sources b/sogo/inverse.sources
new file mode 100644
index 0000000000000000000000000000000000000000..dad1d56fe5cf3dc624c587c37f676a3c38080c12
--- /dev/null
+++ b/sogo/inverse.sources
@@ -0,0 +1,5 @@
+Types: deb
+URIs: https://packages.inverse.ca/SOGo/nightly/5/debian/
+Suites: buster
+Components: buster
+Signed-By: /usr/share/keyrings/inverse.gpg