diff --git a/target/product/base_system.mk b/target/product/base_system.mk
index 434cbfcfd6..ddce7593f0 100644
--- a/target/product/base_system.mk
+++ b/target/product/base_system.mk
@@ -81,6 +81,7 @@ PRODUCT_PACKAGES += \
     framework-res \
     framework-sysconfig.xml \
     fsck_msdos \
+    fsverity-release-cert-der \
     fs_config_files_system \
     fs_config_dirs_system \
     group_system \
diff --git a/target/product/security/Android.bp b/target/product/security/Android.bp
index 080706b115..5f4f82b3e2 100644
--- a/target/product/security/Android.bp
+++ b/target/product/security/Android.bp
@@ -3,3 +3,11 @@ android_app_certificate {
     name: "aosp-testkey",
     certificate: "testkey",
 }
+
+// Google-owned certificate for CTS testing, since we can't trust arbitrary keys on release devices.
+prebuilt_etc {
+    name: "fsverity-release-cert-der",
+    src: "fsverity-release.x509.der",
+    sub_dir: "security/fsverity",
+    filename_from_src: true,
+}
diff --git a/target/product/security/fsverity-release.x509.der b/target/product/security/fsverity-release.x509.der
new file mode 100644
index 0000000000..cd8cd795cf
Binary files /dev/null and b/target/product/security/fsverity-release.x509.der differ