diff --git a/Schutzfile b/Schutzfile
index dc14cd4eb..de3b95d24 100644
--- a/Schutzfile
+++ b/Schutzfile
@@ -2,7 +2,7 @@
   "fedora-35": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -79,7 +79,7 @@
   "fedora-36": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -156,7 +156,7 @@
   "fedora-37": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -233,21 +233,21 @@
   "rhel-8.4": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "rhel-8.6": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "rhel-8.7": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -334,14 +334,14 @@
   "rhel-9.0": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "rhel-9.1": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -428,21 +428,21 @@
   "centos-8": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "centos-9": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "centos-stream-9": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -488,7 +488,7 @@
   "centos-stream-8": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
diff --git a/internal/distro/distro.go b/internal/distro/distro.go
index 3bf434d63..dcce0bfe8 100644
--- a/internal/distro/distro.go
+++ b/internal/distro/distro.go
@@ -131,8 +131,8 @@ type ImageOptions struct {
 	Facts        *FactsImageOptions
 }
 
-// The OSTreeImageOptions specify an ostree ref, checksum, and URL. The meaning
-// of each parameter depends on the image type being built.
+// The OSTreeImageOptions specify an ostree ref, checksum, URL, ContentURL, and RHSM. The meaning of
+// each parameter depends on the image type being built.
 type OSTreeImageOptions struct {
 	// For ostree commit and container types: The ref of the new commit to be
 	// built.
@@ -148,6 +148,13 @@ type OSTreeImageOptions struct {
 
 	// The URL from which to fetch the commit specified by the checksum.
 	URL string
+
+	// If specified, the URL will be used only for metadata.
+	ContentURL string
+
+	// Indicate if the 'org.osbuild.rhsm.consumer' secret should be added when pulling from the
+	// remote.
+	RHSM bool
 }
 
 // The SubscriptionImageOptions specify subscription-specific image options
diff --git a/internal/distro/fedora/images.go b/internal/distro/fedora/images.go
index b6a145802..976ac445d 100644
--- a/internal/distro/fedora/images.go
+++ b/internal/distro/fedora/images.go
@@ -194,8 +194,9 @@ func iotCommitImage(workload workload.Workload,
 
 	if options.OSTree.FetchChecksum != "" && options.OSTree.URL != "" {
 		img.OSTreeParent = &ostree.CommitSpec{
-			Checksum: options.OSTree.FetchChecksum,
-			URL:      options.OSTree.URL,
+			Checksum:   options.OSTree.FetchChecksum,
+			URL:        options.OSTree.URL,
+			ContentURL: options.OSTree.ContentURL,
 		}
 	}
 
@@ -223,8 +224,9 @@ func iotContainerImage(workload workload.Workload,
 
 	if options.OSTree.FetchChecksum != "" && options.OSTree.URL != "" {
 		img.OSTreeParent = &ostree.CommitSpec{
-			Checksum: options.OSTree.FetchChecksum,
-			URL:      options.OSTree.URL,
+			Checksum:   options.OSTree.FetchChecksum,
+			URL:        options.OSTree.URL,
+			ContentURL: options.OSTree.ContentURL,
 		}
 	}
 
@@ -247,9 +249,10 @@ func iotInstallerImage(workload workload.Workload,
 	d := t.arch.distro
 
 	commit := ostree.CommitSpec{
-		Ref:      options.OSTree.ImageRef,
-		URL:      options.OSTree.URL,
-		Checksum: options.OSTree.FetchChecksum,
+		Ref:        options.OSTree.ImageRef,
+		URL:        options.OSTree.URL,
+		ContentURL: options.OSTree.ContentURL,
+		Checksum:   options.OSTree.FetchChecksum,
 	}
 	img := image.NewOSTreeInstaller(commit)
 
@@ -278,9 +281,10 @@ func iotRawImage(workload workload.Workload,
 	rng *rand.Rand) (image.ImageKind, error) {
 
 	commit := ostree.CommitSpec{
-		Ref:      options.OSTree.ImageRef,
-		URL:      options.OSTree.URL,
-		Checksum: options.OSTree.FetchChecksum,
+		Ref:        options.OSTree.ImageRef,
+		URL:        options.OSTree.URL,
+		ContentURL: options.OSTree.ContentURL,
+		Checksum:   options.OSTree.FetchChecksum,
 	}
 	img := image.NewOSTreeRawImage(commit)
 
diff --git a/internal/distro/rhel8/distro.go b/internal/distro/rhel8/distro.go
index 009ee9d87..9ca4211e3 100644
--- a/internal/distro/rhel8/distro.go
+++ b/internal/distro/rhel8/distro.go
@@ -548,7 +548,11 @@ func (t *imageType) Manifest(customizations *blueprint.Customizations,
 	// handle OSTree commit inputs
 	var commits []ostree.CommitSpec
 	if options.OSTree.FetchChecksum != "" && options.OSTree.URL != "" {
-		commits = []ostree.CommitSpec{{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL}}
+		commit := ostree.CommitSpec{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL, ContentURL: options.OSTree.ContentURL}
+		if options.OSTree.RHSM {
+			commit.Secrets = "org.osbuild.rhsm.consumer"
+		}
+		commits = []ostree.CommitSpec{commit}
 	}
 
 	// handle inline sources
diff --git a/internal/distro/rhel9/distro.go b/internal/distro/rhel9/distro.go
index 2730e933f..6628b5cff 100644
--- a/internal/distro/rhel9/distro.go
+++ b/internal/distro/rhel9/distro.go
@@ -514,7 +514,11 @@ func (t *imageType) Manifest(customizations *blueprint.Customizations,
 	// handle OSTree commit inputs
 	var commits []ostree.CommitSpec
 	if options.OSTree.FetchChecksum != "" && options.OSTree.URL != "" {
-		commits = []ostree.CommitSpec{{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL}}
+		commit := ostree.CommitSpec{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL, ContentURL: options.OSTree.ContentURL}
+		if options.OSTree.RHSM {
+			commit.Secrets = "org.osbuild.rhsm.consumer"
+		}
+		commits = []ostree.CommitSpec{commit}
 	}
 
 	// handle inline sources
diff --git a/internal/osbuild/ostree_source.go b/internal/osbuild/ostree_source.go
index a2f96a3b4..610cc738a 100644
--- a/internal/osbuild/ostree_source.go
+++ b/internal/osbuild/ostree_source.go
@@ -13,7 +13,13 @@ type OSTreeSourceItem struct {
 
 type OSTreeSourceRemote struct {
 	// URL of the repository.
-	URL string `json:"url"`
+	URL        string `json:"url"`
+	ContentURL string `json:"contenturl,omitempty"`
 	// GPG keys to verify the commits
-	GPGKeys []string `json:"gpgkeys,omitempty"`
+	GPGKeys []string                   `json:"gpgkeys,omitempty"`
+	Secrets *OSTreeSourceRemoteSecrets `json:"secrets,omitempty"`
+}
+
+type OSTreeSourceRemoteSecrets struct {
+	Name string `json:"name"`
 }
diff --git a/internal/osbuild/source.go b/internal/osbuild/source.go
index f630548d2..6d3a51948 100644
--- a/internal/osbuild/source.go
+++ b/internal/osbuild/source.go
@@ -80,6 +80,12 @@ func GenSources(packages []rpmmd.PackageSpec, ostreeCommits []ostree.CommitSpec,
 	for _, commit := range ostreeCommits {
 		item := new(OSTreeSourceItem)
 		item.Remote.URL = commit.URL
+		item.Remote.ContentURL = commit.ContentURL
+		if commit.Secrets == "org.osbuild.rhsm.consumer" {
+			item.Remote.Secrets = &OSTreeSourceRemoteSecrets{
+				Name: "org.osbuild.rhsm.consumer",
+			}
+		}
 		ostree.Items[commit.Checksum] = *item
 	}
 	if len(ostree.Items) > 0 {
diff --git a/internal/ostree/ostree.go b/internal/ostree/ostree.go
index 1cfc63f3d..35f0af4d6 100644
--- a/internal/ostree/ostree.go
+++ b/internal/ostree/ostree.go
@@ -27,6 +27,10 @@ type CommitSpec struct {
 	// URL of the repo where the commit can be fetched, if available.
 	URL string
 
+	ContentURL string
+
+	Secrets string
+
 	// Checksum of the commit.
 	Checksum string
 }
diff --git a/osbuild-composer.spec b/osbuild-composer.spec
index fb1f368d8..402afefb0 100644
--- a/osbuild-composer.spec
+++ b/osbuild-composer.spec
@@ -306,10 +306,10 @@ The core osbuild-composer binary. This is suitable both for spawning in containe
 Summary:    The worker for osbuild-composer
 Requires:   systemd
 Requires:   qemu-img
-Requires:   osbuild >= 69
-Requires:   osbuild-ostree >= 69
-Requires:   osbuild-lvm2 >= 69
-Requires:   osbuild-luks2 >= 69
+Requires:   osbuild >= 70
+Requires:   osbuild-ostree >= 70
+Requires:   osbuild-lvm2 >= 70
+Requires:   osbuild-luks2 >= 70
 Requires:   %{name}-dnf-json = %{version}-%{release}
 
 %description worker