diff --git a/src/cmd-build b/src/cmd-build
index fd375997c6..a26e6dd15e 100755
--- a/src/cmd-build
+++ b/src/cmd-build
@@ -326,6 +326,31 @@ fi
 if [ ! -f "${workdir}"/builds/builds.json ] && [ ! -f "${fetch_stamp}" ] ; then
     fatal "Must fetch before building"
 fi
+composefs="$(jq -r .composefs < "${image_json}")"
+case "${composefs}" in
+    "") 
+    ;;
+    unsigned)
+        ostree config --repo="${tmprepo}" set ex-integrity.composefs yes
+    ;;
+    signed)
+        ostree config --repo="${tmprepo}" set ex-integrity.composefs yes
+        # Generate with e.g.
+        # openssl req -newkey rsa:4096 -nodes -keyout secrets/root-composefs-key.pem -x509 -out secrets/root-composefs-cert.pem
+        composefs_cert="${workdir}/secrets/root-composefs-cert.pem"
+        composefs_key="${workdir}/secrets/root-composefs-key.pem"
+        if test '!' -f "${composefs_cert}"; then
+            fatal "composefs enabled, but missing ${composefs_cert}"
+        fi
+        if test '!' -f "${composefs_key}"; then
+            fatal "composefs enabled, but missing ${composefs_key}"
+        fi
+        ostree config --repo="${tmprepo}" set ex-integrity.composefs-certfile "${composefs_cert}"
+        ostree config --repo="${tmprepo}" set ex-integrity.composefs-keyfile "${composefs_key}"
+    ;;
+    *) fatal "Unhandled composefs setting: ${composefs}" ;;
+esac
+
 # --cache-only is here since `fetch` is a separate verb
 # shellcheck disable=SC2086
 if test -n "${previous_commit}"; then
diff --git a/src/cmd-init b/src/cmd-init
index 38a6804920..2dfcc080f2 100755
--- a/src/cmd-init
+++ b/src/cmd-init
@@ -201,6 +201,8 @@ fi
 
 mkdir -p cache
 mkdir -p builds
+# This directory may hold e.g. private key material
+mkdir -p secrets
 mkdir -p tmp
 mkdir -p overrides/rpm
 mkdir -p overrides/rootfs
diff --git a/src/create_disk.sh b/src/create_disk.sh
index 1c1cdab7ce..13b3f068be 100755
--- a/src/create_disk.sh
+++ b/src/create_disk.sh
@@ -118,6 +118,7 @@ esac
 rootfs_args=$(getconfig_def "rootfs-args" "")
 
 bootfs=$(getconfig "bootfs")
+composefs=$(jq .composefs < "${config}")
 grub_script=$(getconfig "grub-script")
 ostree_container=$(getconfig "ostree-container")
 commit=$(getconfig "ostree-commit")
@@ -310,11 +311,14 @@ ostree config --repo $rootfs/ostree/repo set sysroot.bootloader none
 # Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
 # https://github.com/ostreedev/ostree/issues/1265
 ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+if test -n "${composefs}"; then
+    ostree config --repo $rootfs/ostree/repo set ex-integrity.composefs true
+fi
 # Initialize the "stateroot"
 ostree admin os-init "$os_name" --sysroot $rootfs
 
 # Propagate flags into target repository
-if [ "${rootfs_type}" = "ext4verity" ]; then
+if [ "${rootfs_type}" = "ext4verity" ] && [ -z "${composefs}" ]; then
     ostree config --repo=$rootfs/ostree/repo set ex-fsverity.required 'true'
 fi
 
diff --git a/src/image-default.yaml b/src/image-default.yaml
index ae12c21a75..76e1e872db 100644
--- a/src/image-default.yaml
+++ b/src/image-default.yaml
@@ -4,6 +4,8 @@ bootfs: "ext4"
 rootfs: "xfs"
 # Add arguments here that will be passed to e.g. mkfs.xfs
 rootfs-args: ""
+# Set to either "unsigned" or "signed" to use composefs; see e.g. https://github.com/ostreedev/ostree/pull/2640
+composefs: ""
 
 # Additional default kernel arguments injected into disk images
 extra-kargs: []