diff --git a/alpine-cloud-images/CONFIGURATION.md b/alpine-cloud-images/CONFIGURATION.md
index 3466ed2..00d9fee 100644
--- a/alpine-cloud-images/CONFIGURATION.md
+++ b/alpine-cloud-images/CONFIGURATION.md
@@ -307,3 +307,8 @@ region, `true` or `false`/`null`.
 
 Determines whether the image will be encrypted when imported and published.
 Currently, only the **aws** cloud module supports this.
+
+### `repo_keys` array
+
+List of addtional repository keys to trust during the package installation phase.
+This allows pulling in custom apk packages by simple specifying the repository name in packages block.
diff --git a/alpine-cloud-images/alpine.pkr.hcl b/alpine-cloud-images/alpine.pkr.hcl
index cc588fe..0e8fb27 100644
--- a/alpine-cloud-images/alpine.pkr.hcl
+++ b/alpine-cloud-images/alpine.pkr.hcl
@@ -174,6 +174,7 @@ build {
         "PACKAGES_NOSCRIPTS=${B.value.packages.noscripts}",
         "RELEASE=${B.value.release}",
         "REPOS=${B.value.repos}",
+        "REPO_KEYS=${B.value.repo_keys}",
         "SERVICES_ENABLE=${B.value.services.enable}",
         "SERVICES_DISABLE=${B.value.services.disable}",
         "VERSION=${B.value.version}",
diff --git a/alpine-cloud-images/image_config.py b/alpine-cloud-images/image_config.py
index 69a5be7..59dd3bd 100644
--- a/alpine-cloud-images/image_config.py
+++ b/alpine-cloud-images/image_config.py
@@ -151,6 +151,7 @@ class ImageConfig():
         # stringify arrays
         self.name = '-'.join(self.name)
         self.description = ' '.join(self.description)
+        self.repo_keys = ' '.join(self.repo_keys)
         self._resolve_motd()
         self._resolve_urls()
         self._stringify_repos()
diff --git a/alpine-cloud-images/scripts/setup b/alpine-cloud-images/scripts/setup
index 8f00d29..1c826c7 100755
--- a/alpine-cloud-images/scripts/setup
+++ b/alpine-cloud-images/scripts/setup
@@ -71,6 +71,12 @@ install_base() {
     mkdir -p "$TARGET/etc/apk"
     echo "$REPOS" > "$TARGET/etc/apk/repositories"
     cp -a /etc/apk/keys "$TARGET/etc/apk"
+
+    # shellcheck disable=SC2086
+    for key in $REPO_KEYS; do
+        wget -q $key -P "$TARGET/etc/apk/keys"
+    done
+
     # shellcheck disable=SC2086
     apk --root "$TARGET" --initdb --no-cache add $PACKAGES_ADD
     # shellcheck disable=SC2086