diff --git a/integration/kubernetes/confidential/fixtures/cosign.pub b/integration/kubernetes/confidential/fixtures/cosign.pub
new file mode 100644
index 000000000..9920c37c0
--- /dev/null
+++ b/integration/kubernetes/confidential/fixtures/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1gHGbfk1AqOweLEM8HfT0bmfQE3b
+9fcp/LU75FMfxVZXmNVtUprsHM1thuuiBKOofv8KV7TrFl4p8NJCiXUkhA==
+-----END PUBLIC KEY-----
diff --git a/integration/kubernetes/confidential/fixtures/cosignWrong.pub b/integration/kubernetes/confidential/fixtures/cosignWrong.pub
new file mode 100644
index 000000000..cc8da380f
--- /dev/null
+++ b/integration/kubernetes/confidential/fixtures/cosignWrong.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwkHKoZIzj0CAQYIKoZIzj0DAkcDQgAE1gHGbfk1AqOweoEM8HfT0bmf2E3b
+9fcp/LU75FMfxVZXmNVtUprsHM1thuuiBKOofv8KV7TrFl4p8NJCiXUkhA==
+-----END PUBLIC KEY-----
diff --git a/integration/kubernetes/confidential/fixtures/policy.json b/integration/kubernetes/confidential/fixtures/policy.json
new file mode 100644
index 000000000..c2bc471cd
--- /dev/null
+++ b/integration/kubernetes/confidential/fixtures/policy.json
@@ -0,0 +1,30 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "quay.io/kata-containers/confidential-containers": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/run/image-security/simple_signing/pubkey.gpg"
+                }
+            ],
+            "quay.io/kata-containers/confidential-containers:cosign-signed": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/run/image-security/cosign/cosign.pub"
+                }
+            ],
+            "quay.io/kata-containers/confidential-containers:cosign-signed-key2": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/run/image-security/cosign/cosign.pub"
+                }
+            ]
+        }
+    }
+}
\ No newline at end of file
diff --git a/integration/kubernetes/confidential/sev.bats b/integration/kubernetes/confidential/sev.bats
index 2c63bfa39..2728f6d81 100644
--- a/integration/kubernetes/confidential/sev.bats
+++ b/integration/kubernetes/confidential/sev.bats
@@ -150,18 +150,22 @@ delete_pods() {
   local encrypted_pod_name=$(esudo kubectl get pod -o wide | grep encrypted-image-tests | awk '{print $1;}' || true)
   local unencrypted_pod_name=$(esudo kubectl get pod -o wide | grep unencrypted-image-tests | awk '{print $1;}' || true)
   local encrypted_pod_name_es=$(esudo kubectl get pod -o wide | grep encrypted-image-tests-es | awk '{print $1;}' || true)
+  local signed_pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}' || true)
 
-  # Delete both encrypted and unencrypted pods
+  # Delete encrypted, unencrypted, and signed pods
   esudo kubectl delete -f \
     "${TEST_DIR}/unencrypted-image-tests.yaml" 2>/dev/null || true
   esudo kubectl delete -f \
     "${TEST_DIR}/encrypted-image-tests.yaml" 2>/dev/null || true
   esudo kubectl delete -f \
     "${TEST_DIR}/encrypted-image-tests-es.yaml" 2>/dev/null || true
-  
+  esudo kubectl delete -f \
+    "${TEST_DIR}/signed-image-tests.yaml" 2>/dev/null || true
+
   [ -z "${encrypted_pod_name}" ] || (kubernetes_wait_for_pod_delete_state "${encrypted_pod_name}" || true)
   [ -z "${unencrypted_pod_name}" ] || (kubernetes_wait_for_pod_delete_state "${unencrypted_pod_name}" || true)
   [ -z "${encrypted_pod_name_es}" ] || (kubernetes_wait_for_pod_delete_state "${encrypted_pod_name_es}" || true)
+  [ -z "${signed_pod_name}" ] || (kubernetes_wait_for_pod_delete_state "${signed_pod_name}" || true)
 }
 
 run_kbs() {
@@ -177,6 +181,12 @@ run_kbs() {
 
   pushd simple-kbs
   git checkout -b "branch_${simple_kbs_tag}" "${simple_kbs_tag}"
+
+  #copy resources
+  cp ${TESTS_REPO_DIR}/integration/kubernetes/confidential/fixtures/policy.json resources/
+  cp ${TESTS_REPO_DIR}/integration/kubernetes/confidential/fixtures/cosign.pub resources/
+  cp ${TESTS_REPO_DIR}/integration/kubernetes/confidential/fixtures/cosignWrong.pub resources/
+  
   esudo docker-compose build
 
   esudo docker-compose up -d
@@ -315,6 +325,7 @@ setup_file() {
 
   generate_service_yaml "unencrypted-image-tests" "${IMAGE_REPO}:unencrypted"
   generate_service_yaml "encrypted-image-tests" "${IMAGE_REPO}:encrypted"
+  generate_service_yaml "signed-image-tests" "quay.io/kata-containers/confidential-containers:cosign-signed"
 
   # SEV-ES policy is 7:
   # - NODBG (1): Debugging of the guest is disallowed when set
@@ -336,6 +347,20 @@ setup() {
     DELETE FROM secrets WHERE id = 10;
     DELETE FROM keysets WHERE id = 10;
     DELETE FROM policy WHERE id = 10;
+    DELETE FROM resources WHERE id = 10;
+EOF
+}
+
+setup_cosign_signatures_files() {
+    local key_file="${1:cosign.pub}"
+
+    mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${KBS_DB_HOST} -D ${KBS_DB} <<EOF
+      INSERT INTO secrets VALUES (10, 'key_id1', '${ENCRYPTION_KEY}', 10);
+      INSERT INTO keysets VALUES (10, 'KEYSET-1', '["key_id1"]', 10);
+      # see https://github.com/confidential-containers/simple-kbs/blob/8507253e9060fb081fd1eac7bf2841ebf02c0847/db/db-mysql.sql#L140
+      # INSERT INTO resources VALUES (10, 0, resource_type, resource_path, 10);
+      INSERT INTO resources SET resource_type="Policy", resource_path="policy.json";
+      INSERT INTO resources SET resource_type="Cosign Key", resource_path="${key_file}";
 EOF
 }
 
@@ -343,6 +368,9 @@ EOF
   # Turn off pre-attestation. It is not necessary for an unencrypted image.
   esudo sed -i 's/guest_pre_attestation = true/guest_pre_attestation = false/g' ${SEV_CONFIG}
   
+  # Turn off signature verification
+  esudo sed -i 's/agent.enable_signature_verification=true/agent.enable_signature_verification=false/g' ${SEV_CONFIG}
+  
   # Start the service/deployment/pod
   esudo kubectl apply -f "${TEST_DIR}/unencrypted-image-tests.yaml"
   
@@ -514,7 +542,97 @@ EOF
   fi
 }
 
+@test "$test_tag Test signed image with no required measurement" {
+  # Add resource files to 
+  setup_cosign_signatures_files
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
+
+@test "$test_tag Test signed image with no required measurement, but wrong key (failure)" {
+  # Add resource files to 
+  setup_cosign_signatures_files "cosignWrong.pub"
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
+
+@test "$test_tag Test signed image with required measurement" {
+  # Generate firmware measurement
+  local append=$(cat ${TEST_DIR}/guest-kernel-append)
+  echo "Kernel Append: ${append}"
+  measurement=$(generate_firmware_measurement_with_append "${append}")
+  echo "Firmware Measurement: ${measurement}"
+
+  # Add resource files to 
+  setup_cosign_signatures_files
+
+  # Add key to KBS with policy measurement
+  add_key_to_kbs_db ${measurement}
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
+
+@test "$test_tag Test signed image with INVALID measurement" {
+  # Generate firmware measurement
+  local append="INVALID-INPUT"
+  measurement=$(generate_firmware_measurement_with_append ${append})
+  echo "Firmware Measurement: ${measurement}"
+
+  # Add resource files to 
+  setup_cosign_signatures_files
 
+  # Add key to KBS with policy measurement
+  add_key_to_kbs_db ${measurement}
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Make sure pre-attestation is enabled. 
+  esudo sed -i 's/guest_pre_attestation = false/guest_pre_attestation = true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
 
 teardown_file() {
   echo "###############################################################################"
diff --git a/versions.yaml b/versions.yaml
index 120a0e40c..21a18a56c 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -72,7 +72,7 @@ externals:
   simple-kbs:
     description: "Simple KBS that hosts key storage with release policies"
     url: "https://github.com/confidential-containers/simple-kbs.git"
-    tag: "0.1.1"
+    tag: "v0.1.2"
 
   sonobuoy:
     description: "Tool to run kubernetes e2e conformance tests"