Verify blobs
The authenticity of any blob downloaded from the interwebs while building the Dockerfiles should be enforced whenever possible. This means that if a PGP signature issued by the author is available it must be verified.
As an example, this has already been done for Composer here: cee14cac
Public keys should be downloaded from a well known keyserver and committed into the repository in armored format. The reasoning is that commits are signed with my own PGP key, hence I'd rather download a public key once and put my stamp on it than trusting a new download of the key every time a build is triggered.