diff --git a/Containerfile b/Containerfile
index ef59c00..b2faba6 100644
--- a/Containerfile
+++ b/Containerfile
@@ -29,8 +29,10 @@ LABEL io.artifacthub.package.readme-url="https://cgi.medsys.cloud/mkm1971/kamos/
 
 # -----------------------------------------------------------------------------
 # Stage 1: copy our customisations into the build context
+# Note: build_files goes to /ctx (NOT /tmp) because the RUN below mounts a
+# tmpfs over /tmp which would hide anything we put there.
 # -----------------------------------------------------------------------------
-COPY build_files/ /tmp/build_files/
+COPY build_files/ /ctx/
 COPY system_files/ /
 
 # -----------------------------------------------------------------------------
@@ -42,7 +44,8 @@ COPY system_files/ /
 RUN --mount=type=cache,dst=/var/cache \
     --mount=type=cache,dst=/var/log \
     --mount=type=tmpfs,dst=/tmp \
-    /tmp/build_files/build.sh && \
+    chmod +x /ctx/build.sh && \
+    bash /ctx/build.sh && \
     ostree container commit
 
 # -----------------------------------------------------------------------------
diff --git a/build_files/build.sh b/build_files/build.sh
old mode 100644
new mode 100755
index 706638d..40ac994
--- a/build_files/build.sh
+++ b/build_files/build.sh
@@ -105,15 +105,23 @@ fi
 #    Files (provided by us in system_files/):
 #       /usr/share/plymouth/themes/kamos/kamos.plymouth
 #       /usr/share/plymouth/themes/kamos/kamos.script
-#       /usr/share/plymouth/themes/kamos/kamos-logo.png  (drop your PNG here)
+#       /usr/share/plymouth/themes/kamos/kamos-logo.png
+#
+#    The kamos theme uses ModuleName=script which needs the
+#    plymouth-plugin-script package - Bazzite doesn't ship it by default.
 # -----------------------------------------------------------------------------
 if [ -f /usr/share/plymouth/themes/kamos/kamos.plymouth ]; then
-    echo "==> Setting KAMOS as default plymouth theme"
-    plymouth-set-default-theme kamos
-    # Rebuild the initramfs so the splash is actually used at next boot.
-    # Bazzite uses dracut.
-    if command -v dracut >/dev/null 2>&1; then
-        dracut --force --regenerate-all || true
+    echo "==> Installing plymouth script plugin"
+    if dnf -y install plymouth-plugin-script; then
+        echo "==> Setting KAMOS as default plymouth theme"
+        plymouth-set-default-theme kamos
+        # Rebuild the initramfs so the splash is actually used at next boot.
+        if command -v dracut >/dev/null 2>&1; then
+            echo "==> Regenerating initramfs (dracut)"
+            dracut --force --regenerate-all || true
+        fi
+    else
+        echo "!! plymouth-plugin-script unavailable, leaving default Bazzite theme"
     fi
 fi
 
diff --git a/kamos-build.sh b/kamos-build.sh
index 5460726..8c8ac24 100755
--- a/kamos-build.sh
+++ b/kamos-build.sh
@@ -95,23 +95,37 @@ for t in "${TAGS[@]}"; do
     podman push "${IMAGE_REF}:${t}"
 done
 
-# ---- sign -----------------------------------------------------------------
-if [ -f cosign.key ]; then
-    log "Sign image with cosign"
+# ---- sign (optional, best-effort) -----------------------------------------
+# Cosign on macOS sometimes can't find podman's auth credentials (they're at
+# ~/.config/containers/auth.json instead of ~/.docker/config.json). We point
+# it at podman's auth file and don't fail the script if signing breaks - the
+# image is already pushed, signing is just a verification add-on.
+if [ -f cosign.key ] && [ "${SKIP_SIGN:-0}" != "1" ]; then
+    log "Sign image with cosign (best-effort)"
+
+    # Tell cosign where podman stored credentials.
+    PODMAN_AUTH="${HOME}/.config/containers/auth.json"
+    if [ -f "${PODMAN_AUTH}" ]; then
+        export DOCKER_CONFIG="${HOME}/.config/containers"
+    fi
+
     for t in "${TAGS[@]}"; do
-        digest=$(podman image inspect "${IMAGE_REF}:${t}" --format '{{.Digest}}' 2>/dev/null || true)
-        if [ -z "$digest" ]; then
-            digest=$(skopeo inspect --format '{{.Digest}}' "docker://${IMAGE_REF}:${t}" 2>/dev/null || true)
-        fi
+        digest=$(skopeo inspect \
+            --authfile "${PODMAN_AUTH}" \
+            --format '{{.Digest}}' \
+            "docker://${IMAGE_REF}:${t}" 2>/dev/null || true)
         if [ -n "$digest" ]; then
             log "  signing ${IMAGE_REF}@${digest}"
-            COSIGN_PASSWORD="" cosign sign --yes --key cosign.key "${IMAGE_REF}@${digest}"
+            COSIGN_PASSWORD="" cosign sign --yes \
+                --key cosign.key \
+                "${IMAGE_REF}@${digest}" \
+                || warn "Sign failed for tag ${t} (image still pushed and usable)"
         else
             warn "Could not get digest for tag ${t} - skipping sign"
         fi
     done
 else
-    warn "cosign.key not found in repo - skipping image signing"
+    warn "Skipping image signing (set SKIP_SIGN=0 with cosign.key present to enable)"
 fi
 
 # ---- done -----------------------------------------------------------------