diff --git a/001-revert-docbook-version.patch b/001-revert-docbook-version.patch
deleted file mode 100644
index b197ea1..0000000
--- a/001-revert-docbook-version.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --color -ruNp a/lib/doc/libkcapi.tmpl b/lib/doc/libkcapi.tmpl
---- a/lib/doc/libkcapi.tmpl	2023-07-29 17:47:11.011047980 +0200
-+++ b/lib/doc/libkcapi.tmpl	2024-07-26 09:29:17.777668566 +0200
-@@ -1,6 +1,6 @@
- <?xml version="1.0" encoding="UTF-8"?>
--<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V45//EN"
--	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" []>
-+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
-+	"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []>
- 
- <book id="libkcapi" revision="@@LIBVERSION@@">
-  <bookinfo>
diff --git a/libkcapi.spec b/libkcapi.spec
index 109828a..9e7f58b 100644
--- a/libkcapi.spec
+++ b/libkcapi.spec
@@ -84,6 +84,10 @@
 %global hmaccalc_evr      0.9.14-10%{?dist}
 %endif
 
+%global apps_coreutils sha1sum sha224sum sha256sum sha384sum sha512sum md5sum sm3sum
+%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac sm3hmac
+%global apps_fipscheck fipscheck fipshmac
+
 # On old kernels use mock hashers implemented via openssl
 %if %{lua:print(rpm.vercmp(posix.uname('%r'), '3.19'));} >= 0
 %global sha512hmac bin/kcapi-hasher -n sha512hmac
@@ -103,9 +107,9 @@
 bin_path=%{buildroot}%{_bindir}                                  \
 lib_path=%{buildroot}%{_libdir}                                  \
 { %sha512hmac "$bin_path"/kcapi-hasher || exit 1; } |            \\\
-  cut -f 1 -d ' ' >"$lib_path"/hmaccalc/.kcapi-hasher.hmac       \
-%fipshmac -d "$lib_path"/hmaccalc                                \\\
-  "$lib_path"/libkcapi.so.%{version} || exit 1                   \
+  cut -f 1 -d ' ' >"$lib_path"/hmaccalc/kcapi-hasher.hmac        \
+{ %sha512hmac "$lib_path"/libkcapi.so.%{version} || exit 1; } |  \\\
+  cut -f 1 -d ' ' >"$lib_path"/hmaccalc/libkcapi.so.%{version}.hmac \
 %{__ln_s} libkcapi.so.%{version}.hmac                            \\\
   "$lib_path"/hmaccalc/libkcapi.so.%{vmajor}.hmac                \
 %{nil}
@@ -116,14 +120,12 @@ Release:        %autorelease
 Summary:        User space interface to the Linux Kernel Crypto API
 
 License:        BSD-3-Clause OR GPL-2.0-only
-URL:            https://www.chronox.de/%{name}.html
-Source0:        https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
-Source1:        https://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
+URL:            https://www.chronox.de/%{name}/
+Source0:        https://www.chronox.de/%{name}/releases/%{version}/%{name}-%{version}.tar.xz
+Source1:        https://www.chronox.de/%{name}/releases/%{version}/%{name}-%{version}.tar.xz.asc
 Source2:        sha512hmac-openssl.sh
 Source3:        fipshmac-openssl.sh
 
-Patch:          001-revert-docbook-version.patch
-
 BuildRequires:  bash
 BuildRequires:  coreutils
 BuildRequires:  gcc
@@ -188,10 +190,18 @@ User documentation for %{name}.
 %endif
 
 
+%package        hasher
+Summary:        Common %{name} hashing application
+Requires:       %{name}%{?_isa}    == %{version}-%{release}
+
+%description    hasher
+Provides The kcapi-hasher binary used by other %{name} subpackages.
+
+
 %if %{with replace_coreutils}
 %package        checksum
 Summary:        Drop-in replacement for *sum utils provided by the %{name} package
-Requires:       %{name}%{?_isa}    == %{version}-%{release}
+Requires:       %{name}-hasher%{?_isa} == %{version}-%{release}
 
 Requires:       coreutils%{?_isa}  >= %{coreutils_evr}
 
@@ -207,7 +217,7 @@ coreutils) using %{name}.
 %if %{with replace_fipscheck}
 %package        fipscheck
 Summary:        Drop-in replacements for fipscheck/fipshmac provided by the %{name} package
-Requires:       %{name}%{?_isa}   == %{version}-%{release}
+Requires:       %{name}-hasher%{?_isa} == %{version}-%{release}
 
 Obsoletes:      fipscheck         <= %{fipscheck_evr}
 
@@ -223,7 +233,7 @@ package fipscheck) using %{name}.
 %if %{with replace_hmaccalc}
 %package        hmaccalc
 Summary:        Drop-in replacements for hmaccalc provided by the %{name} package
-Requires:       %{name}%{?_isa}   == %{version}-%{release}
+Requires:       %{name}-hasher%{?_isa} == %{version}-%{release}
 
 Obsoletes:      hmaccalc          <= %{hmaccalc_evr}
 
@@ -248,7 +258,8 @@ is highly discouraged.
 
 %package        tools
 Summary:        Utility applications for the %{name} package
-Requires:       %{name}%{?_isa} == %{version}-%{release}
+Requires:       %{name}%{?_isa}        == %{version}-%{release}
+Requires:       %{name}-hasher%{?_isa} == %{version}-%{release}
 
 %description    tools
 Utility applications that are provided with %{name}.  This includes
@@ -279,6 +290,10 @@ Auxiliary scripts for testing %{name}.
 %prep
 %autosetup -p 1 -S git
 
+# Work around https://bugzilla.redhat.com/show_bug.cgi?id=2258240
+sed -i -e 's|XML V45|XML V4.1.2|' -e 's|/xml/4\.5/|/xml/4.1.2/|' \
+    lib/doc/libkcapi.tmpl
+
 %if %{with_sysctl_tweak}
 %{__cat} << EOF > README.%{distroname_ext}
 This package increases the default limit of the ancillary buffer size
@@ -362,20 +377,22 @@ EOF
 %endif
 
 # Install replacement tools, if enabled.
-%if !%{with replace_coreutils}
-%{__rm} -f                            \
-  %{buildroot}%{_libexecdir}/md5sum   \
-  %{buildroot}%{_libexecdir}/sha*sum  \
-  %{buildroot}%{_libexecdir}/sm*sum
+%if %{with replace_coreutils}
+for app in %apps_coreutils; do
+  %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app
+done
 %endif
 
-%if !%{with replace_fipscheck}
-%{__rm} -f %{buildroot}%{_libexecdir}/fips*
+%if %{with replace_fipscheck}
+for app in %apps_fipscheck; do
+  %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app
+done
 %endif
 
-%if !%{with replace_hmaccalc}
-%{__rm} -f %{buildroot}%{_libexecdir}/sha*hmac
-%{__rm} -f %{buildroot}%{_libexecdir}/sm*hmac
+%if %{with replace_hmaccalc}
+for app in %apps_hmaccalc; do
+  %{__ln_s} ../libexec/libkcapi/$app %{buildroot}%{_bindir}/$app
+done
 %endif
 
 # We don't ship autocrap dumplings.
@@ -407,9 +424,11 @@ done
 %make_build scan
 %endif
 %if %{with cppcheck}
-# string literal concatenation raises syntaxError with cppcheck-2.11
-# https://trac.cppcheck.net/ticket/11830
-%make_build cppcheck CPPCHECK="cppcheck -UCHECK_DIR"
+# -UCHECK_DIR: string literal concatenation raises syntaxError
+# with cppcheck-2.11 (https://trac.cppcheck.net/ticket/11830)
+# --check-level=exhaustive: otherwise it emits warnings that get
+# treated like errors
+%make_build cppcheck CPPCHECK="cppcheck --check-level=exhaustive -UCHECK_DIR"
 %endif
 
 %if %{with test}
@@ -466,28 +485,33 @@ popd
 %endif
 
 
-%if %{with replace_coreutils}
-%files          checksum
+%files          hasher
 %{_bindir}/kcapi-hasher
 %{_libexecdir}/%{name}/md5sum
 %{_libexecdir}/%{name}/sha*sum
 %{_libexecdir}/%{name}/sm*sum
-%{_libdir}/hmaccalc/.kcapi-hasher.hmac
+%{_libexecdir}/%{name}/fips*
+%{_libexecdir}/%{name}/sha*hmac
+%{_libexecdir}/%{name}/sm*hmac
+%{_libdir}/hmaccalc/kcapi-hasher.hmac
+
+
+%if %{with replace_coreutils}
+%files          checksum
+%{_bindir}/md5sum
+%{_bindir}/sha*sum
+%{_bindir}/sm*sum
 %endif
 
 %if %{with replace_fipscheck}
 %files          fipscheck
-%{_bindir}/kcapi-hasher
-%{_libexecdir}/%{name}/fips*
-%{_libdir}/hmaccalc/.kcapi-hasher.hmac
+%{_bindir}/fips*
 %endif
 
 %if %{with replace_hmaccalc}
 %files          hmaccalc
-%{_bindir}/kcapi-hasher
-%{_libexecdir}/%{name}/sha*hmac
-%{_libexecdir}/%{name}/sm*hmac
-%{_libdir}/hmaccalc/.kcapi-hasher.hmac
+%{_bindir}/sha*hmac
+%{_bindir}/sm*hmac
 %endif
 
 
@@ -502,7 +526,10 @@ popd
 
 %if %{with test_package}
 %files          tests
-%{_libexecdir}/%{name}/*
+%{_libexecdir}/%{name}/kcapi
+%{_libexecdir}/%{name}/kcapi-convenience
+%{_libexecdir}/%{name}/kcapi-enc-test-large
+%{_libexecdir}/%{name}/*.sh
 %endif