diff --git a/tests/test-lib.sh b/tests/test-lib.sh
index a373f666..202c9a93 100644
--- a/tests/test-lib.sh
+++ b/tests/test-lib.sh
@@ -1,5 +1,28 @@
 #!/usr/bin/bash
 
+fatal() {
+    echo $@ 1>&2; exit 1
+}
+
+# Dump ls -al + file contents to stderr, then fatal()
+_fatal_print_file() {
+    file="$1"
+    shift
+    ls -al "$file" >&2
+    sed -e 's/^/# /' < "$file" >&2
+    fatal "$@"
+}
+
+assert_file_has_content () {
+    fpath=$1
+    shift
+    for re in "$@"; do
+        if ! grep -q -e "$re" "$fpath"; then
+            _fatal_print_file "$fpath" "File '$fpath' doesn't match regexp '$re'"
+        fi
+    done
+}
+
 check_whiteout () {
     tmpfile=$(mktemp /tmp/lcfs-whiteout.XXXXXX)
     rm -f $tmpfile
@@ -31,8 +54,17 @@ check_erofs_fsck () {
     fi
 }
 
+check_fsverity () {
+    fsverity --version >/dev/null 2>&1 || return 1
+    tmpfile=$(mktemp /var/tmp/lcfs-fsverity.XXXXXX)
+    echo foo > $tmpfile
+    fsverity enable $tmpfile >/dev/null 2>&1  || return 1
+    return 0
+}
+
 [[ -v can_whiteout ]] || can_whiteout=$(check_whiteout)
 [[ -v has_fuse ]] || has_fuse=$(if check_fuse; then echo y; else echo n; fi)
 [[ -v has_fsck ]] || has_fsck=$(check_erofs_fsck)
+[[ -v has_fsverity ]] || has_fsverity=$(if check_fsverity; then echo y; else echo n; fi)
 
-echo Test options: can_whiteout=$can_whiteout has_fuse=$has_fuse has_fsck=$has_fsck
+echo Test options: can_whiteout=$can_whiteout has_fuse=$has_fuse has_fsck=$has_fsck has_fsverity=$has_fsverity
diff --git a/tests/test-units.sh b/tests/test-units.sh
index 2769ecf0..f0381a78 100755
--- a/tests/test-units.sh
+++ b/tests/test-units.sh
@@ -7,6 +7,8 @@ set -e
 workdir=$(mktemp -d /var/tmp/lcfs-test.XXXXXX)
 trap 'rm -rf -- "$workdir"' EXIT
 
+. test-lib.sh
+
 function makeimage () {
     local dir=$1
     ${VALGRIND_PREFIX} $BINDIR/mkcomposefs --digest-store=$dir/objects $dir/root $dir/test.cfs
@@ -44,12 +46,33 @@ function  test_objects () {
     fi
 }
 
-TESTS="test_inline test_objects"
+function  test_mount_digest () {
+    local dir=$1
+
+    if [ $has_fsverity = y ]; then
+        echo foo > $dir/root/a-file
+        makeimage $dir
+
+        $BINDIR/mount.composefs -o basedir=$dir/objects,digest=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $dir/test.cfs $dir/mnt 2> $dir/stderr && fatal "non-fsverity mount should not succeed"
+        assert_file_has_content $dir/stderr "Image has no fs-verity"
+
+        fsverity enable $dir/test.cfs
+
+        $BINDIR/mount.composefs -o basedir=$dir/objects,digest=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $dir/test.cfs $dir/mnt 2> $dir/stderr && fatal "wrong fsverity mount should not succeed"
+        assert_file_has_content $dir/stderr "Image has wrong fs-verity"
+
+        local DIGEST=$(fsverity measure $dir/test.cfs | awk "{ print \$1 }" | sed s/sha256://)
+
+        $BINDIR/mount.composefs -o basedir=$dir/objects,digest=$DIGEST $dir/test.cfs $dir/mnt 2> $dir/stderr || assert_file_has_content $dir/stderr "Permission denied"
+        umount $dir/mnt 2> $dir/stderr || true
+    fi
+}
+
+TESTS="test_inline test_objects test_mount_digest"
 res=0
 for i in $TESTS; do
     testdir=$(mktemp -d $workdir/$i.XXXXXX)
-    mkdir $testdir/root
-    mkdir $testdir/objects
+    mkdir $testdir/root $testdir/objects $testdir/mnt
     if $i $testdir ; then
         echo "Test $i: OK"
     else