diff --git a/Dockerfile b/Dockerfile
index 76d10ea9..8a76c470 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -36,9 +36,11 @@ FROM docker.io/debian:bullseye-slim AS runner
 # You still need to map the port when using the docker command or docker-compose.
 EXPOSE 6167
 
+ARG DEFAULT_DB_PATH=/var/lib/matrix-conduit
+
 ENV CONDUIT_PORT=6167 \
     CONDUIT_ADDRESS="0.0.0.0" \
-    CONDUIT_DATABASE_PATH=/var/lib/matrix-conduit \
+    CONDUIT_DATABASE_PATH=${DEFAULT_DB_PATH} \
     CONDUIT_CONFIG=''
 #    └─> Set no config file to do all configuration with env vars
 
@@ -51,9 +53,6 @@ RUN apt-get update && apt-get -y --no-install-recommends install \
     wget \
     && rm -rf /var/lib/apt/lists/*
 
-# Created directory for the database and media files
-RUN mkdir -p /srv/conduit/.local/share/conduit
-
 # Test if Conduit is still alive, uses the same endpoint as Element
 COPY ./docker/healthcheck.sh /srv/conduit/healthcheck.sh
 HEALTHCHECK --start-period=5s --interval=5s CMD ./healthcheck.sh
@@ -69,10 +68,12 @@ RUN set -x ; \
     groupadd -r -g ${GROUP_ID} conduit ; \
     useradd -l -r -M -d /srv/conduit -o -u ${USER_ID} -g conduit conduit && exit 0 ; exit 1
 
-# Change ownership of Conduit files to conduit user and group and make the healthcheck executable:
+# Create database directory, change ownership of Conduit files to conduit user and group and make the healthcheck executable:
 RUN chown -cR conduit:conduit /srv/conduit && \
-    chmod +x /srv/conduit/healthcheck.sh
-
+    chmod +x /srv/conduit/healthcheck.sh && \
+    mkdir -p ${DEFAULT_DB_PATH} && \
+    chown -cR conduit:conduit ${DEFAULT_DB_PATH}
+    
 # Change user to conduit, no root permissions afterwards:
 USER conduit
 # Set container home directory
diff --git a/docker/ci-binaries-packaging.Dockerfile b/docker/ci-binaries-packaging.Dockerfile
index 4c1199ed..c164d8f2 100644
--- a/docker/ci-binaries-packaging.Dockerfile
+++ b/docker/ci-binaries-packaging.Dockerfile
@@ -7,7 +7,7 @@
 # Credit's for the original Dockerfile: Weasy666.
 # ---------------------------------------------------------------------------------------------------------
 
-FROM docker.io/alpine:3.16.0@sha256:4ff3ca91275773af45cb4b0834e12b7eb47d1c18f770a0b151381cd227f4c253 AS runner
+FROM docker.io/alpine:3.16.2@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 AS runner
 
 
 # Standard port on which Conduit launches.
diff --git a/src/client_server/keys.rs b/src/client_server/keys.rs
index c4f91cb2..6aaf190f 100644
--- a/src/client_server/keys.rs
+++ b/src/client_server/keys.rs
@@ -170,11 +170,24 @@ pub async fn upload_signatures_route(
 ) -> Result<upload_signatures::v3::Response> {
     let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 
-    for (user_id, signed_keys) in &body.signed_keys {
-        for (key_id, signed_key) in signed_keys {
-            let signed_key = serde_json::to_value(signed_key).unwrap();
+    for (user_id, keys) in &body.signed_keys {
+        for (key_id, key) in keys {
+            let key = serde_json::to_value(key)
+                .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Invalid key JSON"))?;
 
-            for signature in signed_key
+            let is_signed_key = match key.get("usage") {
+                Some(usage) => usage
+                    .as_array()
+                    .map(|usage| !usage.contains(&json!("master")))
+                    .unwrap_or(false),
+                None => true,
+            };
+
+            if !is_signed_key {
+                continue;
+            }
+
+            for signature in key
                 .get("signatures")
                 .ok_or(Error::BadRequest(
                     ErrorKind::InvalidParam,