diff --git a/generic-pipelines/simple-ros-pipeline.yaml b/generic-pipelines/simple-ros-pipeline.yaml
index d757f56..89917e5 100644
--- a/generic-pipelines/simple-ros-pipeline.yaml
+++ b/generic-pipelines/simple-ros-pipeline.yaml
@@ -43,5 +43,7 @@ spec:
       value: ./docker/Dockerfile
     - name: registry-login-secret-name
       value: $(params.registry-login-secret-name)
+    - names: cosign-secret-name
+      value: container-signing-secret
     taskRef:
       name: j7s-buildah
\ No newline at end of file
diff --git a/generic-tasks/j7s-buildah.yaml b/generic-tasks/j7s-buildah.yaml
index 0aa131b..ab261c8 100644
--- a/generic-tasks/j7s-buildah.yaml
+++ b/generic-tasks/j7s-buildah.yaml
@@ -16,6 +16,8 @@ spec:
     description: Path of the Containerfile relative to source.
   - name: registry-login-secret-name
     description: Name of the secret containing the credentials to push to the registry.
+  - name: cosign-secret-name
+    description: Name of the secret container the credentials for cosign.
   workspaces:
   - name: source
   steps:
@@ -26,14 +28,26 @@ spec:
       set -x
       # Login
       buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
+      # Setup cosign.
+      cp /etc/cosign-credentials/* ~/.sigstore
+      cat <<EOF > ~/.sigstore/param-file.yaml
+      privateKeyFile: "$HOME/.sigstore/cosign.key"
+      privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
+      EOF
+      mkdir -p /etc/containers/registries.d/
+      cat <<EOF > /etc/containers/registries.d/james-registry.yaml
+      docker:
+         $(params.registry):
+            use-sigstore-attachments: true
+      EOF
       # Build
       buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
         -f $(params.containerfile)  -t $(params.name):$(params.version) .
       # Push
-      skopeo copy --debug --dest-tls-verify=false \
+      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
               containers-storage:localhost/$(params.name):$(params.version) \
               docker://$(params.registry)/$(params.name):$(params.version)
-      skopeo copy --debug --dest-tls-verify=false \
+      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
               containers-storage:localhost/$(params.name):$(params.version) \
               docker://$(params.registry)/$(params.name):latest
     env:
@@ -50,8 +64,14 @@ spec:
     volumeMounts:
     - name: varlibcontainers
       mountPath: /var/lib/containers
+    - name: cosign-credentials
+      mountPath: /etc/cosign-credentials
     securityContext:
       privileged: true
   volumes:
   - name: varlibcontainers
-    emptyDir: {}
\ No newline at end of file
+    emptyDir: {}
+      volumes:
+  - name: cosign-credentials
+    secret:
+      secretName: $(params.cosign-secret-name)
\ No newline at end of file