diff --git a/.gitignore b/.gitignore
index 8a210dd..86f1a4b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -157,3 +157,7 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.8.6.tar.xz
 /gnutls-3.8.6.tar.xz.sig
 /gmp-6.2.1.tar.xz
+/gnutls-3.8.7.tar.xz
+/gnutls-3.8.7.tar.xz.sig
+/gnutls-3.8.7.1.tar.xz
+/gnutls-3.8.7.1.tar.xz.sig
diff --git a/README.packit b/README.packit
index 3dfd179..ced1079 100644
--- a/README.packit
+++ b/README.packit
@@ -1,3 +1,3 @@
 This repository is maintained by packit.
 https://packit.dev/
-The file was generated using packit 0.97.3.
+The file was generated using packit 0.100.0.
diff --git a/gnutls-3.8.7-pkgconf-dlopen.patch b/gnutls-3.8.7-pkgconf-dlopen.patch
new file mode 100644
index 0000000..2adcae7
--- /dev/null
+++ b/gnutls-3.8.7-pkgconf-dlopen.patch
@@ -0,0 +1,170 @@
+From 292f96f26d7ce80e4a165c903c4fd569b85c1c1f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 16 Aug 2024 09:42:15 +0900
+Subject: [PATCH 1/2] build: fix setting AM_CONDITIONAL for brotli and zstd
+
+As the with_{libbrotli,libzsttd} variables are unset if configured
+with --without-{brotli,zstd}, check the unequality to "no" doesn't
+work; use explicit matching with "yes" instead.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 95ec4c1515..a476176800 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1158,7 +1158,7 @@ if test x$ac_brotli != xno; then
+ else
+     AC_MSG_RESULT(no)
+ fi
+-AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" != "no" && test "$with_libbrotlidec" != "no")
++AM_CONDITIONAL(HAVE_LIBBROTLI, test "$with_libbrotlienc" = yes && test "$with_libbrotlidec" = yes)
+ 
+ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [
+     save_CFLAGS=$CFLAGS
+@@ -1203,7 +1203,7 @@ if test x$ac_zstd != xno; then
+ else
+     AC_MSG_RESULT(no)
+ fi
+-AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" != "no")
++AM_CONDITIONAL(HAVE_LIBZSTD, test "$with_libzstd" = yes)
+ 
+ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [
+     save_CFLAGS=$CFLAGS
+-- 
+2.46.0
+
+
+From 546153198d2fb8fc4902f23de6254bb7988de534 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 16 Aug 2024 09:48:31 +0900
+Subject: [PATCH 2/2] build: don't emit Requires.private for dlopened libraries
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ configure.ac | 36 +++++++++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a476176800..f3e7a3aeae 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1100,11 +1100,6 @@ if test x$ac_zlib != xno; then
+     PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y, ZLIB_HAS_PKGCONFIG=n)
+     if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then
+         PKG_CHECK_MODULES(ZLIB, [zlib])
+-	if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then
+-	    GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib"
+-	else
+-	    GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib"
+-	fi
+ 	ac_zlib=yes
+     else
+ 	AC_LIB_HAVE_LINKFLAGS(z,, [#include <zlib.h>], [compress (0, 0, 0, 0);])
+@@ -1134,6 +1129,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [
+                    compress (0, 0, 0, 0);])])
+     LIBS="$save_LIBS"
+     CFLAGS="$save_CFLAGS"
++],
++      [test "$ZLIB_HAS_PKGCONFIG" = y && test "$ac_zlib" = yes], [
++    if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then
++        GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib"
++    else
++        GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, zlib"
++    fi
+ ])
+ 
+ AC_ARG_WITH(brotli,
+@@ -1146,11 +1148,6 @@ if test x$ac_brotli != xno; then
+     PKG_CHECK_MODULES(LIBBROTLIDEC, [libbrotlidec >= 1.0.0], [with_libbrotlidec=yes], [with_libbrotlidec=no])
+     if test "${with_libbrotlienc}" = "yes" && test "${with_libbrotlidec}" = "yes"; then
+ 	AC_DEFINE([HAVE_LIBBROTLI], 1, [Define if BROTLI compression is enabled.])
+-	if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
+-	    GNUTLS_REQUIRES_PRIVATE="Requires.private: libbrotlienc, libbrotlidec"
+-	else
+-	    GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec"
+-	fi
+ 	need_ltlibdl=yes
+     else
+ 	AC_MSG_WARN(*** LIBBROTLI was not found. You will not be able to use BROTLI compression.)
+@@ -1180,6 +1177,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [
+            BrotliDecoderVersion();])])
+     LIBS="$save_LIBS"
+     CFLAGS="$save_CFLAGS"
++],
++      [test "$with_libbrotlienc" = yes && test "$with_libbrotlidec" = yes], [
++    if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
++        GNUTLS_REQUIRES_PRIVATE="Requires.private: libbrotlienc, libbrotlidec"
++    else
++        GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libbrotlienc, libbrotlidec"
++    fi
+ ])
+ 
+ AC_ARG_WITH(zstd,
+@@ -1191,11 +1195,6 @@ if test x$ac_zstd != xno; then
+     PKG_CHECK_MODULES(LIBZSTD, [libzstd >= 1.3.0], [with_libzstd=yes], [with_libzstd=no])
+     if test "${with_libzstd}" = "yes"; then
+ 	AC_DEFINE([HAVE_LIBZSTD], 1, [Define if ZSTD compression is enabled.])
+-	if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
+-	    GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd"
+-	else
+-	    GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd"
+-	fi
+ 	need_ltlibdl=yes
+     else
+ 	AC_MSG_WARN(*** LIBZSTD was not found. You will not be able to use ZSTD compression.)
+@@ -1215,6 +1214,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [
+            ZSTD_versionNumber();])])
+     LIBS="$save_LIBS"
+     CFLAGS="$save_CFLAGS"
++],
++      [test "$with_libzstd" = yes], [
++    if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
++        GNUTLS_REQUIRES_PRIVATE="Requires.private: libzstd"
++    else
++        GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libzstd"
++    fi
+ ])
+ 
+ AC_ARG_WITH(liboqs,
+-- 
+2.46.0
+
+From 8d0ec0ccdfeaae0d56426169d4c7b490e3b07826 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 16 Aug 2024 13:35:47 +0900
+Subject: [PATCH] build: add liboqs in Requires.private in gnutls.pc if needed
+
+When --with-liboqs is specified and liboqs cannot be dlopen'ed, it
+will be linked at build time. In that case gnutls.pc should indicate
+that through Requires.private.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ configure.ac | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index f3e7a3aeae..93ba723323 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1256,6 +1256,13 @@ AS_IF([test "$ac_cv_dlopen_soname_works" = yes], [
+                    OQS_version ();])])
+     LIBS="$save_LIBS"
+     CFLAGS="$save_CFLAGS"
++],
++      [test "$have_liboqs" = yes], [
++    if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then
++        GNUTLS_REQUIRES_PRIVATE="Requires.private: liboqs"
++    else
++        GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE, liboqs"
++    fi
+ ])
+ 
+ AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes)
+-- 
+2.46.0
+
diff --git a/gnutls.spec b/gnutls.spec
index 1398fce..6ee479e 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -12,7 +12,7 @@ sha256sum:close()
 print(string.sub(hash, 0, 16))
 }
 
-Version: 3.8.6
+Version: 3.8.7
 Release: %{?autorelease}%{!?autorelease:1%{?dist}}
 # not upstreamed: can we drop this as configure is regenerated when bootstrappign?
 Patch: gnutls-3.2.7-rpath.patch
@@ -30,13 +30,8 @@ Patch: gnutls-3.7.6-drbg-reseed.patch
 Patch: gnutls-3.7.6-fips-sha1-sigver.patch
 # not upstreamed: see https://gitlab.com/gnutls/gnutls/-/issues/1443
 Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch
-
-# upstreamed: should be removed after rebase to 3.8.7
-Patch: gnutls-3.8.6-compression-dlwrap.patch
-# upstreamed: should be removed after rebase to 3.8.7
-Patch: gnutls-3.8.6-liboqs-x25519-kyber768d00.patch
-# upstreamed: should be removed after rebase to 3.8.7
-Patch: gnutls-3.8.6-nettle-rsa-oaep.patch
+# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1867
+Patch: gnutls-3.8.7-pkgconf-dlopen.patch
 
 %bcond_without bootstrap
 %bcond_without dane
@@ -139,8 +134,8 @@ BuildRequires:  mingw64-nettle >= 3.6
 
 URL: http://www.gnutls.org/
 %define short_version %(echo %{version} | grep -m1 -o "[0-9]*\.[0-9]*" | head -1)
-Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz
-Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.tar.xz.sig
+Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz
+Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v%{short_version}/%{name}-%{version}.1.tar.xz.sig
 Source2: https://gnutls.org/gnutls-release-keyring.gpg
 
 %if %{with bundled_gmp}
diff --git a/sources b/sources
index cdafbdf..5fcce01 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
-SHA512 (gnutls-3.8.6.tar.xz) = 58631c456dfb43f8cb6a1703ffa91c593a33357f37dc146e808d88692e19c7ac10aeabea40bee9952205be97e00648879e9f0fa80e670e8e695f8633ba726513
-SHA512 (gnutls-3.8.6.tar.xz.sig) = 3f9552cdf5fa96184fbe394dd484fb55e6a3577d1e048aea373b82cda335ea0f174f2fb11926dc58532c1f950cd10a6a35bc36e9fe813a1259eae5c5364920b2
+SHA512 (gnutls-3.8.7.1.tar.xz) = 429cea78e227d838105791b28a18270c3d2418bfb951c322771e6323d5f712204d63d66a6606ce9604a92d236a8dd07d651232c717264472d27eb6de26ddc733
+SHA512 (gnutls-3.8.7.1.tar.xz.sig) = 53ebdaa9775ae22f7eb5e7d6f5411ec667c9c880cea84e23651b6d1994fb1398c09d8efa39b21c96f8be29fa09c2436bdd732a061308956ca1650e3e1878ed57
 SHA512 (gnutls-release-keyring.gpg) = 8c2b39239d1d8c5319757fcf669f28a11de7f8ec4a726f9904c57ba8105bea80240083c0de71b747115907bab46569f10cf58004137cc7884ac5c20f8319ae0a
 SHA512 (gmp-6.2.1.tar.xz) = c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84