Additional steps for the cosign contract

For the contract with cosign verified container images, perform the following additional steps:

1. Log in to your Quay registry by running the following command:

   docker login quay.io -u <username> -p <password>

2. Pull the container image onto your local machine.

   docker pull quay.io/prometheus/busybox:latest

3. Tag the container image to your repository in the Quay registry by running the following command:

   docker tag quay.io/prometheus/busybox:latest quay.io/<username>/busybox:latest

4. Push the container image to your repository in the Quay registry by running the following command:

   docker push quay.io/<username>/busybox

5. Install the Cosign Package by running the following command:

   rpm -ivh --nodeps --force https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-2.4.1-1.s390x.rpm

6. Log in to your Quay registry using cosign by running the following command:

   cosign login quay.io --username='<username>' --password='<password>'

7. Generate a key pair to sign the container image.

   cosign generate-key-pair

   This creates cosign.key and cosign.pub.

8. Sign and verify the container image in the Quay registry with the private key by running the following command:

   cosign sign --key cosign.key quay.io/<username>/busybox

9. Encode and store the public key you obtained from the earlier step in a variable by running the following command:

   export cosign_pub_base64=$(cat "cosign.pub" | base64 -w 0)

10. Continue with Step 5 from Creating the workload section of the contract section.