diff --git a/.dockerignore b/.dockerignore
index 53752db..1fcb152 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1 @@
-output
+out
diff --git a/Dockerfile b/Dockerfile
index c4f6cc6..a179099 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,20 @@
+FROM archlinux:base-devel AS keyfork-build
+
+RUN pacman -Syu --noconfirm
+RUN useradd -m build && echo "build ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/build
+
+USER build
+WORKDIR /home/build
+ADD PKGBUILD.keyfork /home/build/PKGBUILD
+
+RUN makepkg -s --noconfirm --skipinteg
+RUN mkdir /home/build/repo && cp keyfork-0.0.0-1-x86_64.pkg.tar.zst repo && repo-add /home/build/repo/keyfork.db.tar.gz keyfork-0.0.0-1-x86_64.pkg.tar.zst
+
 FROM archlinux
 
 RUN pacman -Syu --noconfirm archiso
 ADD configs /configs
+COPY --from=keyfork-build /home/build/repo /usr/share/keyfork
 WORKDIR /
 
 ENTRYPOINT ["/usr/bin/bash", "-x", "/usr/bin/mkarchiso", "-v", "-w", "/work", "-o", "/out"]
diff --git a/Makefile b/Makefile
index 0ea3132..63b71f7 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,8 @@ vars:
 clean:
 	rm -rf out work || true
 
-out/archlinux-baseline-arch-%-x86_64.iso: configs/%/
+# NOTE: Relies on files in configs/% but make doesn't have recursive checks
+out/archlinux-baseline-arch-%-x86_64.iso: configs/% Dockerfile PKGBUILD.keyfork
 	$(MAKE) docker-airgap-builder
 	mkdir -p out
 	docker run --rm --privileged --volume "$(PWD)/out:/out" airgap-builder $<
diff --git a/PKGBUILD.keyfork b/PKGBUILD.keyfork
new file mode 100644
index 0000000..5487e6f
--- /dev/null
+++ b/PKGBUILD.keyfork
@@ -0,0 +1,33 @@
+pkgname='keyfork'
+pkgver='0.0.0'
+pkgrel=1
+pkgdesc='The Kitchen Sink of Entropy'
+arch=('x86_64')
+url='https://git.distrust.co/public/keyfork'
+license=('GPL-2.0')
+makedepends=('cargo' 'clang' 'git' 'llvm' 'pkgconf') # + nettle + pcsclite
+depends=('nettle' 'pcsclite')
+source=('git+https://git.distrust.co/public/keyfork.git')
+
+prepare() {
+  cd "$srcdir/$pkgname"
+  export RUSTUP_TOOLCHAIN=stable
+  cargo fetch --locked --target "$CARCH-unknown-linux-gnu"
+  cd -
+}
+
+build() {
+  export RUSTUP_TOOLCHAIN=stable
+  export CARGO_TARGET_DIR=target
+  export RUSTFLAGS="-C codegen-units=1"
+  cd "$srcdir/$pkgname"
+  # NOTE: Do not use `--all-features` as features may be incomopatible with
+  # each other.
+  cargo build --frozen --release -p keyfork
+}
+
+package() {
+  build="$srcdir/$pkgname/target/release"
+  target="$pkgdir/usr/bin"
+  install -Dm755 "$build/$pkgname" "$pkgdir/usr/bin/$pkgname"
+}
diff --git a/README.md b/README.md
index f12099c..6ca0fb5 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,13 @@
 A slim version of Arch Linux intended to run on airgapped (always-offline)
 systems. The builder runs in Docker using privileged mode.
 
+## Target Packages
+
+Airgap NG is built for the purpose of providing an airgapped image of Keyfork.
+As such, it builds an Arch package for Keyfork and a local Arch package
+repository from which to install Keyfork. The base installation image will also
+include Nettle, PCSC Lite
+
 ## Building
 
 Requirements:
diff --git a/configs/airgap/packages.x86_64 b/configs/airgap/packages.x86_64
index ba46087..894776f 100644
--- a/configs/airgap/packages.x86_64
+++ b/configs/airgap/packages.x86_64
@@ -3,3 +3,4 @@ linux
 mkinitcpio
 mkinitcpio-archiso
 syslinux
+keyfork
diff --git a/configs/airgap/pacman.conf b/configs/airgap/pacman.conf
index f382fab..8083288 100644
--- a/configs/airgap/pacman.conf
+++ b/configs/airgap/pacman.conf
@@ -96,3 +96,7 @@ Include = /etc/pacman.d/mirrorlist
 #[custom]
 #SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
+
+[keyfork]
+SigLevel = Optional TrustAll
+Server = file:///usr/share/keyfork