diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml
index 7b8990f688..6817c73f13 100644
--- a/pipelines/enterprise-contract.yaml
+++ b/pipelines/enterprise-contract.yaml
@@ -40,6 +40,13 @@ spec:
         "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple
         paths can be provided by using the ":" separator.
       default: ""
+    - name: PUBLIC_KEY
+      type: string
+      default: "k8s://openshift-pipelines/public-key"
+      description: |
+        Public key used to verify signatures. Must be a valid k8s cosign
+        reference, e.g. k8s://my-space/my-secret where my-secret contains
+        the expected cosign.pub attribute.
   results:
     - name: TEST_OUTPUT
       value: "$(tasks.verify.results.TEST_OUTPUT)"
@@ -59,7 +66,7 @@ spec:
         - name: STRICT
           value: "true"
         - name: PUBLIC_KEY
-          value: "k8s://openshift-pipelines/public-key"
+          value: "$(params.PUBLIC_KEY)"
         - name: IGNORE_REKOR
           value: "true"
       taskRef: