diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 0000000..daea5ef
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWFSLKLosBrdjfuF8ZS6U01Ufky4
+zNeVPCkA6HEJ/oe634fRqwFxkXKGWg03eGFSnlwRxnUxN2+duXQSsR0pzQ==
+-----END PUBLIC KEY-----
diff --git a/internal/updater/verify_signature.go b/internal/updater/verify_signature.go
index fb536cd..e239743 100644
--- a/internal/updater/verify_signature.go
+++ b/internal/updater/verify_signature.go
@@ -49,8 +49,8 @@ const MaxSignatureBytes int64 = 1024
 // in-test-generated key; production sets it at compile time and
 // never mutates it.
 var BangerReleasePublicKey = `-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLACEHOLDER0000000000000000000
-000000000000000000000000000000000000000000000000000000000000PLACE
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWFSLKLosBrdjfuF8ZS6U01Ufky4
+zNeVPCkA6HEJ/oe634fRqwFxkXKGWg03eGFSnlwRxnUxN2+duXQSsR0pzQ==
 -----END PUBLIC KEY-----`
 
 // ErrSignatureRequired is returned by VerifyManifestRelease when the
diff --git a/internal/updater/verify_signature_test.go b/internal/updater/verify_signature_test.go
index e514179..7f0121f 100644
--- a/internal/updater/verify_signature_test.go
+++ b/internal/updater/verify_signature_test.go
@@ -43,9 +43,16 @@ func signBlob(t *testing.T, priv *ecdsa.PrivateKey, body []byte) string {
 }
 
 func TestVerifyBlobSignaturePlaceholderRefuses(t *testing.T) {
-	// The default constant in this binary is the placeholder. Any
-	// verify call must refuse with ErrSignatureRequired so an
-	// un-rotated build can't silently accept anything.
+	// A build that hasn't replaced the placeholder key must refuse
+	// every verify call with ErrSignatureRequired so an un-rotated
+	// build can't silently accept anything. Swap the embedded key
+	// out for the placeholder shape and assert that.
+	prev := BangerReleasePublicKey
+	BangerReleasePublicKey = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLACEHOLDER0000000000000000000
+000000000000000000000000000000000000000000000000000000000000PLACE
+-----END PUBLIC KEY-----`
+	defer func() { BangerReleasePublicKey = prev }()
 	err := VerifyBlobSignature([]byte("body"), []byte("sig"))
 	if !errors.Is(err, ErrSignatureRequired) {
 		t.Fatalf("err = %v, want ErrSignatureRequired", err)