diff --git a/pkg/format/Dockerfile b/pkg/format/Dockerfile
index 124e4daec..b8d7c96ca 100644
--- a/pkg/format/Dockerfile
+++ b/pkg/format/Dockerfile
@@ -1,13 +1,18 @@
-FROM alpine:3.5
+FROM linuxkit/alpine:f0169b60fb260d74025496ae6fd93213fecaba8f@sha256:23743c7206ebe8a609442c5ac7084a26ed45ce8f5213960428bca264225849f1 AS mirror
 
-RUN \
-  apk update && apk upgrade -a && \
-  apk add --no-cache \
-  e2fsprogs \
-  e2fsprogs-extra \
-  jq \
-  sfdisk \
-  && true
+FROM alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+COPY --from=mirror /etc/apk/repositories /etc/apk/repositories
+COPY --from=mirror /etc/apk/keys /etc/apk/keys/
+COPY --from=mirror /mirror /mirror/
+
+RUN apk add \
+    e2fsprogs \
+    e2fsprogs-extra \
+    jq \
+    sfdisk \
+    && true
+
+RUN rm -rf /mirror /etc/apk/repositories /etc/apk/keys
 
 COPY . ./
 CMD ["/bin/sh", "/format.sh"]
diff --git a/pkg/format/Makefile b/pkg/format/Makefile
index cf6eed82d..8234712cc 100644
--- a/pkg/format/Makefile
+++ b/pkg/format/Makefile
@@ -1,29 +1,14 @@
 .PHONY: tag push
-
-BASE=alpine:3.5
-IMAGE=format
-
 default: push
 
-hash: Dockerfile format.sh
-	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --rm --entrypoint /bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > $@
+IMAGE=format
+DEPS=Dockerfile format.sh
 
-push: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash) && \
-		 docker push linuxkit/$(IMAGE):$(shell cat hash))
-	docker rmi $(IMAGE):build
-	rm -f hash
+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
 
-tag: hash
-	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)
-	docker rmi $(IMAGE):build
-	rm -f hash
+tag: $(DEPS)
+	docker build --squash --no-cache --network=none -t linuxkit/$(IMAGE):$(HASH) .
 
-clean:
-	rm -f hash
-
-.DELETE_ON_ERROR:
+push: tag
+	docker pull linuxkit/$(IMAGE):$(HASH) || \
+	docker push linuxkit/$(IMAGE):$(HASH)