.gitignore

@@ -1,2 +1 @@
-SOURCES/osbuild-composer-101.4.tar.gz
-SOURCES/osbuild-composer-101.tar.gz
+SOURCES/osbuild-composer-132.2.tar.gz

.osbuild-composer.metadata

@@ -1,2 +1 @@
-ce93c5ab93c03de154e13611670b63e764377b52 SOURCES/osbuild-composer-101.4.tar.gz
-0feb86b5dcd146ce5b87816ae482eb50ed507c16 SOURCES/osbuild-composer-101.tar.gz
+7d3fc3e6143f79531868e9d96f27b4afbd61950b SOURCES/osbuild-composer-132.2.tar.gz

SOURCES/0001-Remove-libreport-rhel-anaconda-bugzilla-from-anacond.patch

@@ -0,0 +1,25 @@
+From 8ee4f9ba6264c2772708426bbe6026b2d28eb815 Mon Sep 17 00:00:00 2001
+From: eabdullin <eabdullin@almalinux.org>
+Date: Thu, 26 Dec 2024 15:52:33 +0300
+Subject: [PATCH 1/2] Remove libreport-rhel-anaconda-bugzilla from anaconda
+ packageset
+
+---
+ .../osbuild/images/pkg/distro/rhel/rhel8/bare_metal.go           | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/bare_metal.go b/vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/bare_metal.go
+index 0d5fbe0..1fbbed3 100644
+--- a/vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/bare_metal.go
++++ b/vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/bare_metal.go
+@@ -228,7 +228,6 @@ func anacondaPackageSet(t *rhel.ImageType) rpmmd.PackageSet {
+ 			"libibverbs",
+ 			"libreport-plugin-bugzilla",
+ 			"libreport-plugin-reportuploader",
+-			"libreport-rhel-anaconda-bugzilla",
+ 			"librsvg2",
+ 			"linux-firmware",
+ 			"lklug-fonts",
+-- 
+2.39.5 (Apple Git-154)
+

SOURCES/fix-unclosed-logrus-logging-pipes.patch

@@ -0,0 +1,40 @@
+From 0f97a1c1668827086dfa335c9fb427cbb28782b2 Mon Sep 17 00:00:00 2001
+From: Lukas Zapletal <lzap+git@redhat.com>
+Date: Thu, 11 Sep 2025 08:03:21 +0200
+Subject: [PATCH] common: fix unclosed logrus logging pipes
+
+This is a backport of 1cde7e3. The original patch was not separated into
+individual commits unfortunately, there fore only the relevant line is
+being brought in. The original analysis:
+
+It looks like both CloudAPI and WeldrAPI consume memory, process can go
+up to several gigabytes pretty quickly just by running a simple script.
+
+while sleep 0.001; do
+    curl --unix-socket /run/weldr/api.socket -XGET http://localhost/api/
+    curl --unix-socket /run/cloudapi/api.socket -XGET http://localhost/api/
+done
+
+There is a logrus logger method called Write and WriteLevel which create
+a new logging entry, create a PIPE and spawn a goroutine that is reading
+from that PIPE. The caller is expected to close the PIPE writer which
+was not done.
+---
+ internal/common/echo_logrus.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/internal/common/echo_logrus.go b/internal/common/echo_logrus.go
+index 198ce17310..600cce2d74 100644
+--- a/internal/common/echo_logrus.go
++++ b/internal/common/echo_logrus.go
+@@ -178,5 +178,9 @@ func (l *EchoLogrusLogger) Panicj(j lslog.JSON) {
+ }
+
+ func (l *EchoLogrusLogger) Write(p []byte) (n int, err error) {
+-	return l.Logger.WithContext(l.Ctx).Writer().Write(p)
++	// Writer() from logrus returns PIPE that needs to be closed
++	w := l.Logger.WithContext(l.Ctx).Writer()
++	defer w.Close()
++
++	return w.Write(p)
+ }

SOURCES/json-tailoring-conversion.patch

@@ -0,0 +1,54 @@
+From 62822b56ae637ce512be4ace2ee062cabddcfa09 Mon Sep 17 00:00:00 2001
+From: Gianluca Zuccarelli <gianlucazuccarelli@gmail.com>
+Date: Mon, 8 Sep 2025 14:11:50 +0100
+Subject: [PATCH] internal/blueprint: add JSON tailoring to bp conversion
+
+The blueprint convert function was missing the json tailoring case. This meant that
+if the json tailoring customization was provided in the blueprint, the customization
+would get ignored and the tailoring profile would not be applied to the image.
+---
+ internal/blueprint/blueprint.go              | 4 ++++
+ internal/blueprint/blueprint_convert_test.go | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/internal/blueprint/blueprint.go b/internal/blueprint/blueprint.go
+index 63f8aa5b71..c01a2c6a48 100644
+--- a/internal/blueprint/blueprint.go
++++ b/internal/blueprint/blueprint.go
+@@ -253,6 +253,10 @@ func Convert(bp Blueprint) iblueprint.Blueprint {
+ 				itailoring := iblueprint.OpenSCAPTailoringCustomizations(*tailoring)
+ 				ioscap.Tailoring = &itailoring
+ 			}
++			if jsonTailoring := oscap.JSONTailoring; jsonTailoring != nil {
++				ijsonTailoring := iblueprint.OpenSCAPJSONTailoringCustomizations(*jsonTailoring)
++				ioscap.JSONTailoring = &ijsonTailoring
++			}
+ 			customizations.OpenSCAP = &ioscap
+ 		}
+ 		if ign := c.Ignition; ign != nil {
+diff --git a/internal/blueprint/blueprint_convert_test.go b/internal/blueprint/blueprint_convert_test.go
+index 520e18271d..2c652f0658 100644
+--- a/internal/blueprint/blueprint_convert_test.go
++++ b/internal/blueprint/blueprint_convert_test.go
+@@ -233,6 +233,10 @@ func TestConvert(t *testing.T) {
+ 							Selected:   []string{"cloth"},
+ 							Unselected: []string{"leather"},
+ 						},
++						JSONTailoring: &OpenSCAPJSONTailoringCustomizations{
++							ProfileID: "tailored_profile",
++							Filepath:  "path-to-json-file",
++						},
+ 					},
+ 					Ignition: &IgnitionCustomization{
+ 						Embedded: &EmbeddedIgnitionCustomization{
+@@ -532,6 +536,10 @@ func TestConvert(t *testing.T) {
+ 							Selected:   []string{"cloth"},
+ 							Unselected: []string{"leather"},
+ 						},
++						JSONTailoring: &iblueprint.OpenSCAPJSONTailoringCustomizations{
++							ProfileID: "tailored_profile",
++							Filepath:  "path-to-json-file",
++						},
+ 					},
+ 					Ignition: &iblueprint.IgnitionCustomization{
+ 						Embedded: &iblueprint.EmbeddedIgnitionCustomization{

SOURCES/update-go-jose-dependency.patch

@@ -0,0 +1,179 @@
+From 8e6381e3cfdebe5107949173a0994e7b8557a718 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
+Date: Tue, 26 Aug 2025 13:41:10 +0200
+Subject: [PATCH 1/2] go.mod: update go-jose v4.0.5 to fix CVE-2025-27144
+
+---
+ go.mod                                               |  2 +-
+ go.sum                                               |  4 ++--
+ vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md |  6 ------
+ vendor/github.com/go-jose/go-jose/v4/README.md       | 10 +---------
+ vendor/github.com/go-jose/go-jose/v4/jwe.go          |  5 +++--
+ vendor/github.com/go-jose/go-jose/v4/jwk.go          |  4 ++--
+ vendor/github.com/go-jose/go-jose/v4/jws.go          |  5 +++--
+ vendor/modules.txt                                   |  2 +-
+ 8 files changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index 43cd13d2ae..b26e5dcbd4 100644
+--- a/go.mod
++++ b/go.mod
+@@ -133,7 +133,7 @@ require (
+ 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
+ 	github.com/felixge/httpsnoop v1.0.4 // indirect
+ 	github.com/ghodss/yaml v1.0.0 // indirect
+-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
++	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+ 	github.com/go-logr/logr v1.4.2 // indirect
+ 	github.com/go-logr/stdr v1.2.2 // indirect
+ 	github.com/go-openapi/analysis v0.23.0 // indirect
+diff --git a/go.sum b/go.sum
+index 16526b8d12..0445be92d9 100644
+--- a/go.sum
++++ b/go.sum
+@@ -252,8 +252,8 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
+ github.com/go-chi/chi/v5 v5.0.0/go.mod h1:BBug9lr0cqtdAhsu6R4AAdvufI0/XBzAQSsUqJpoZOs=
+ github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+ github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+-github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+-github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
++github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
++github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+ github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+diff --git a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
+index b63e1f8fee..4b4805add6 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
++++ b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
+@@ -7,9 +7,3 @@ When submitting code, please make every effort to follow existing conventions
+ and style in order to keep the code as readable as possible. Please also make
+ sure all tests pass by running `go test`, and format your code with `go fmt`.
+ We also recommend using `golint` and `errcheck`.
+-
+-Before your code can be accepted into the project you must also sign the
+-Individual Contributor License Agreement.  We use [cla-assistant.io][1] and you
+-will be prompted to sign once a pull request is opened.
+-
+-[1]: https://cla-assistant.io/
+diff --git a/vendor/github.com/go-jose/go-jose/v4/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
+index 79a7c5ecc8..02b5749546 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/README.md
++++ b/vendor/github.com/go-jose/go-jose/v4/README.md
+@@ -9,14 +9,6 @@ Package jose aims to provide an implementation of the Javascript Object Signing
+ and Encryption set of standards. This includes support for JSON Web Encryption,
+ JSON Web Signature, and JSON Web Token standards.
+
+-**Disclaimer**: This library contains encryption software that is subject to
+-the U.S. Export Administration Regulations. You may not export, re-export,
+-transfer or download this code or any part of it in violation of any United
+-States law, directive or regulation. In particular this software may not be
+-exported or re-exported in any form or on any media to Iran, North Sudan,
+-Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
+-US maintained blocked list.
+-
+ ## Overview
+
+ The implementation follows the
+@@ -109,6 +101,6 @@ allows attaching a key id.
+
+ Examples can be found in the Godoc
+ reference for this package. The
+-[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
++[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)
+ subdirectory also contains a small command-line utility which might be useful
+ as an example as well.
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+index 89f03ee3e1..9f1322dccc 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
+ 	keyAlgorithms []KeyAlgorithm,
+ 	contentEncryption []ContentEncryption,
+ ) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
+index 8a52842106..9e57e93ba2 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jwk.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
+@@ -239,10 +239,10 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
+ 				keyPub = key
+ 			}
+ 		} else {
+-			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
++			return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
+ 		}
+ 	default:
+-		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
++		return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+ 	}
+
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
+index 3a912301af..d09d8ba507 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
+@@ -327,10 +327,11 @@ func parseSignedCompact(
+ 	payload []byte,
+ 	signatureAlgorithms []SignatureAlgorithm,
+ ) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index 06781a551d..0b64b482ea 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -690,7 +690,7 @@ github.com/getsentry/sentry-go/logrus
+ # github.com/ghodss/yaml v1.0.0
+ ## explicit
+ github.com/ghodss/yaml
+-# github.com/go-jose/go-jose/v4 v4.0.4
++# github.com/go-jose/go-jose/v4 v4.0.5
+ ## explicit; go 1.21
+ github.com/go-jose/go-jose/v4
+ github.com/go-jose/go-jose/v4/cipher
+
+From 8b1ed9f96f7434ead5683015b0ad78014be76ba2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
+Date: Tue, 26 Aug 2025 13:46:51 +0200
+Subject: [PATCH 2/2] github: ignore unused functions in shellcheck
+
+Seems to be a false positive (shellcheck doesn't understand traps).
+---
+ .github/workflows/tests.yml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
+index 54185df0c0..e11d7a39fb 100644
+--- a/.github/workflows/tests.yml
++++ b/.github/workflows/tests.yml
+@@ -212,9 +212,9 @@ jobs:
+       with:
+         ignore: vendor # We don't want to fix the code in vendored dependencies
+       env:
+-        # don't check /etc/os-release sourcing, allow useless cats to live inside our codebase, and
+-        # allow seemingly unreachable commands
+-        SHELLCHECK_OPTS: -e SC1091 -e SC2002 -e SC2317
++        # don't check /etc/os-release sourcing, allow useless cats to live inside our codebase,
++        # allow seemingly unreachable commands, and allow unused functions
++        SHELLCHECK_OPTS: -e SC1091 -e SC2002 -e SC2317 -e SC2329
+
+     - name: Do not doube trap signals inside test scripts
+       run: |

SPECS/osbuild-composer.spec

@@ -8,11 +8,11 @@
 %bcond_with relax_requires
 
 # The minimum required osbuild version
-%global min_osbuild_version 109
+%global min_osbuild_version 139
 
 %global goipath         github.com/osbuild/osbuild-composer
 
-Version:        101.4
+Version:        132.2
 
 %gometa
 
@@ -25,7 +25,7 @@ It is compatible with composer-cli and cockpit-composer clients.
 }
 
 Name:           osbuild-composer
-Release:        1%{?dist}
+Release:        3%{?dist}.alma.1
 Summary:        An image building service based on osbuild
 
 # osbuild-composer doesn't have support for building i686 and armv7hl images
@@ -36,6 +36,19 @@ License:        Apache-2.0
 URL:            %{gourl}
 Source0:        %{gosource}
 
+# https://github.com/osbuild/osbuild-composer/pull/4856
+Patch0: json-tailoring-conversion.patch
+
+# https://github.com/osbuild/osbuild-composer/pull/4860
+Patch1: fix-unclosed-logrus-logging-pipes.patch
+
+# https://github.com/osbuild/osbuild-composer/pull/4842
+Patch2: update-go-jose-dependency.patch
+
+# AlmaLinux Patch
+Patch101: 0001-Remove-libreport-rhel-anaconda-bugzilla-from-anacond.patch
+Patch102: 0002-AlmaLinux-support-patch.patch
+
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
 BuildRequires:  systemd
 BuildRequires:  krb5-devel
@@ -84,11 +97,10 @@ export PATH=$PWD/_bin${PATH:+:$PATH}
 export GOPATH=$GO_BUILD_PATH:%{gopath}
 export GOFLAGS+=" -mod=vendor"
 %endif
-%if 0%{?fedora}
-# Fedora disables Go modules by default, but we want to use them.
-# Undefine the macro which disables it to use the default behavior.
+
+# Fedora and RHEL versions disable Go modules by default, but we want to use them.
+# Unconditionally undefine the macro which disables it to use the default behavior.
 %undefine gomodulesmode
-%endif
 
 # btrfs-progs-devel is not available on RHEL
 %if 0%{?rhel}
@@ -105,6 +117,7 @@ export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/comm
 
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
+%gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker-executor %{goipath}/cmd/osbuild-worker-executor
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-manager %{goipath}/cmd/osbuild-jobsite-manager
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-builder %{goipath}/cmd/osbuild-jobsite-builder
 
@@ -125,6 +138,10 @@ export GOPATH=%{gobuilddir}:%{gopath}
 
 TEST_LDFLAGS="${LDFLAGS:-} -B 0x$(od -N 20 -An -tx1 -w100 /dev/urandom | tr -d ' ')"
 
+%if 0%{?rhel}
+GOTAGS="${GOTAGS:+$GOTAGS,}rhel%{rhel}"
+%endif
+
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-cli-tests %{goipath}/cmd/osbuild-composer-cli-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-dnf-json-tests %{goipath}/cmd/osbuild-dnf-json-tests
 go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-weldr-tests %{goipath}/internal/client/
@@ -141,37 +158,75 @@ go build -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _b
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/osbuild-composer
 install -m 0755 -vp _bin/osbuild-composer                          %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-worker                            %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp _bin/osbuild-worker-executor                   %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-jobsite-manager                   %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-jobsite-builder                   %{buildroot}%{_libexecdir}/osbuild-composer/
 
 # Only include repositories for the distribution and release
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/osbuild-composer/repositories
+
+%if 0%{?almalinux}
+%if 0%{?almalinux} >= 10
+
+install -m 0644 -vp repositories/almalinux-*                       %{buildroot}%{_datadir}/osbuild-composer/repositories/
+
+%else
+install -m 0644 -vp repositories/almalinux-8*                       %{buildroot}%{_datadir}/osbuild-composer/repositories/
+
+%if 0%{?almalinux} == 9
+install -m 0644 -vp repositories/almalinux-9*                       %{buildroot}%{_datadir}/osbuild-composer/repositories/
+%endif
+%endif
+
+%else
+
 # CentOS also defines rhel so we check for centos first
 %if 0%{?centos}
 
-# CentOS 9 supports building for CentOS 8 and later
-%if 0%{?centos} >= 9
+# Latest CentOS supports building all CentOS versions
+%if 0%{?centos} >= 10
 install -m 0644 -vp repositories/centos-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
+
 %else
-# CentOS 8 only supports building for CentOS 8
+# All other CentOS versions support building for the same version
 install -m 0644 -vp repositories/centos-%{centos}*                 %{buildroot}%{_datadir}/osbuild-composer/repositories/
 install -m 0644 -vp repositories/centos-stream-%{centos}*          %{buildroot}%{_datadir}/osbuild-composer/repositories/
-
 %endif
+
 %else
+
 %if 0%{?rhel}
-# RHEL 9 supports building for RHEL 8 and later
-%if 0%{?rhel} >= 9
-install -m 0644 -vp repositories/rhel-*                            %{buildroot}%{_datadir}/osbuild-composer/repositories/
+# RHEL 10 supports building all RHEL versions
+%if 0%{?rhel} >= 10
+for REPO_FILE in $(ls repositories/rhel-* | grep -v 'no-aux-key'); do
+    install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE})
+done
+
+# RHEL-8 auxiliary key is signed using SHA-1, which is not enabled by default on RHEL-10 and later
+for REPO_FILE in $(ls repositories/rhel-8*-no-aux-key.json); do
+    install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE} | sed 's/-no-aux-key//g')
+done
 
 %else
-# RHEL 8 only supports building for 8
-install -m 0644 -vp repositories/rhel-%{rhel}*                     %{buildroot}%{_datadir}/osbuild-composer/repositories/
+# All other RHEL versions support building for the same version
+for REPO_FILE in $(ls repositories/rhel-%{rhel}* | grep -v 'no-aux-key'); do
+    install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE})
+done
+
+# RHEL 9 supports building also for RHEL 8
+%if 0%{?rhel} == 9
+for REPO_FILE in $(ls repositories/rhel-8* | grep -v 'no-aux-key'); do
+    install -m 0644 -vp ${REPO_FILE}                               %{buildroot}%{_datadir}/osbuild-composer/repositories/$(basename ${REPO_FILE})
+done
+%endif
 
 %endif
 %endif
 %endif
 
+%endif
+
+
 # Fedora can build for all included fedora releases
 %if 0%{?fedora}
 install -m 0644 -vp repositories/fedora-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
@@ -204,7 +259,6 @@ install -m 0755 -vp tools/define-compose-url.sh                    %{buildroot}%
 install -m 0755 -vp tools/provision.sh                             %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/gen-certs.sh                             %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/gen-ssh.sh                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/image-info                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/run-koji-container.sh                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/koji-compose.py                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/libvirt_test.sh                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
@@ -259,8 +313,8 @@ install -m 0644 -vp test/data/x509/*                               %{buildroot}%
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/schemas
 install -m 0644 -vp pkg/jobqueue/dbjobqueue/schemas/*              %{buildroot}%{_datadir}/tests/osbuild-composer/schemas/
 
-install -m 0755 -vd                                               %{buildroot}%{_datadir}/tests/osbuild-composer/upgrade8to9
-install -m 0644 -vp test/data/upgrade8to9/*                       %{buildroot}%{_datadir}/tests/osbuild-composer/upgrade8to9/
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/rhel-upgrade
+install -m 0644 -vp test/data/rhel-upgrade/*                       %{buildroot}%{_datadir}/tests/osbuild-composer/rhel-upgrade/
 
 %endif
 
@@ -300,6 +354,9 @@ cd $PWD/_build/src/%{goipath}
 %package core
 Summary:    The core osbuild-composer binary
 Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
+# This version needs to get bumped everytime the osbuild-depsolve-dnf json
+# API changes in incompatible ways
+Requires:   osbuild-dnf-json-api = 8
 Provides:   %{name}-dnf-json = %{version}-%{release}
 Obsoletes:  %{name}-dnf-json < %{version}-%{release}
 
@@ -327,6 +384,7 @@ The worker for osbuild-composer
 
 %files worker
 %{_libexecdir}/osbuild-composer/osbuild-worker
+%{_libexecdir}/osbuild-composer/osbuild-worker-executor
 %{_libexecdir}/osbuild-composer/osbuild-jobsite-manager
 %{_libexecdir}/osbuild-composer/osbuild-jobsite-builder
 %{_unitdir}/osbuild-worker@.service
@@ -394,7 +452,11 @@ Requires:   httpd
 Requires:   mod_ssl
 Requires:   openssl
 Requires:   firewalld
+# podman-plugins has been deprecated since podman version 5.0.0,
+# which is in Fedora 40+ and in c10s / el10
+%if (0%{?rhel} && 0%{?rhel} < 10) || (0%{?fedora} && 0%{?fedora} < 40)
 Requires:   podman-plugins
+%endif
 Requires:   dnf-plugins-core
 Requires:   skopeo
 Requires:   make
@@ -421,21 +483,90 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 %endif
 
 %changelog
-* Thu Jul 17 2025 Achilleas Koutsou <achilleas@redhat.com> - 101.4-1
-- Resolves: RHEL-95416
+* Fri Nov 07 2025 Eduard Abdullin <eabdullin@almalinux.org> - 132.2-3.alma.1
+- Install AlmaLinux repositories
+- Add AlmaLinux support patch (Thanks @pastalian)
+- Remove libreport-rhel-bugzilla from package set
 
-* Tue Jun 24 2025 Ondřej Budai <obudai@redhat.com> - 101-4
-- Resolves: RHEL-89279 (CVE-2025-22871)
+* Wed Oct 15 2025 Gianluca Zuccarelli <gzuccare@redhat.com> - 132.2-3
+- Fix json tailoring blueprint conversion
+  Resolves: RHEL-111314
+- Fix unclosed logrus logging pipes
+  Resolves: RHEL-102832
+- Update go-jose dependency
+  Resolves: RHEL-82968 (CVE-2025-27144)
 
-* Tue Apr 22 2025 Tomáš Hozza <thozza@redhat.com> - 101-3
-- Resolve RHEL-84643 (CVE-2025-30204)
+* Tue Jun 24 2025 Ondřej Budai <obudai@redhat.com> - 132.2-2
+- Resolves: RHEL-89319 (CVE-2025-22871)
 
-* Wed Sep 25 2024 Tomáš Hozza <thozza@redhat.com> - 101-2
-- Rebuilt to fix:
-  - CVE-2024-34156
-  - CVE-2024-1394
-  - RHEL-24303
-  - RHEL-57905
+* Tue Apr 22 2025 Tomáš Hozza <thozza@redhat.com> = 132.2-1
+- Resolve RHEL-84642
+
+* Thu Apr 03 2025 Tomáš Hozza <thozza@redhat.com> = 132.1-1
+- Resolve RHEL-83781
+
+* Thu Feb 13 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 132-1
+- New upstream release
+
+* Wed Feb 05 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 131-1
+- New upstream release
+
+* Wed Jan 08 2025 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 128-1
+- New upstream release
+
+* Wed Dec 11 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 127-1
+- New upstream release
+
+* Wed Nov 27 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 126-1
+- New upstream release
+
+* Thu Nov 14 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 125-1
+- New upstream release
+
+* Fri Nov 01 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 124-1
+- New upstream release
+
+* Wed Oct 16 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 123-1
+- New upstream release
+
+* Wed Oct 02 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 122-1
+- New upstream release
+
+* Mon Sep 30 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 121-1
+- New upstream release
+
+* Fri Aug 23 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 118-1
+- New upstream release
+
+* Wed Aug 21 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 117-1
+- New upstream release
+
+* Thu Aug 15 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 116-1
+- New upstream release
+
+* Wed Aug 07 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 115-1
+- New upstream release
+
+* Wed Jul 24 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 114-1
+- New upstream release
+
+* Fri Jul 12 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 113-1
+- New upstream release
+
+* Wed Jun 12 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 110-1
+- New upstream release
+
+* Tue Jun 04 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 109-1
+- New upstream release
+
+* Fri May 17 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 108-1
+- New upstream release
+
+* Wed Apr 03 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 104-1
+- New upstream release
+
+* Wed Mar 06 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 102-1
+- New upstream release
 
 * Mon Feb 26 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 101-1
 - New upstream release
@@ -467,9 +598,6 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Oct 04 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 91-1
 - New upstream release
 
-* Thu Sep 21 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 90-1
-- New upstream release
-
 * Wed Sep 06 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 89-1
 - New upstream release
 
@@ -500,6 +628,9 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Mar 08 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 77-1
 - New upstream release
 
+* Wed Mar 01 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 76-1
+- New upstream release
+
 * Wed Feb 22 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 75-1
 - New upstream release
 
@@ -524,6 +655,9 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Nov 16 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 68-1
 - New upstream release
 
+* Thu Nov 03 2022 Tomas Hozza <thozza@redhat.com> - 67-2
+- Fix functional tests to make them pass in RHEL-9.2 gating
+
 * Wed Nov 02 2022 imagebuilder-bots+imagebuilder-bot@redhat.com <imagebuilder-bot> - 67-1
 - New upstream release
 
@@ -533,13 +667,13 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Aug 24 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 60-1
 - New upstream release
 
-* Thu Aug 11 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 59-1
+* Wed Aug 10 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 59-1
 - New upstream release
 
 * Thu Jul 28 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 58-1
 - New upstream release
 
-* Mon Jul 18 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 57-1
+* Wed Jul 13 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 57-1
 - New upstream release
 
 * Wed Jun 15 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 55-1
@@ -548,81 +682,139 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 * Wed Jun 01 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 54-1
 - New upstream release
 
-* Mon May 23 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 53-1
+* Fri May 20 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 53-1
 - New upstream release
 
 * Wed May 04 2022 Ondřej Budai <ondrej@budai.cz> - 51-1
 - New upstream release
 
-* Tue Mar 01 2022 Ondřej Budai <ondrej@budai.cz> - 46-1
+* Mon Feb 28 2022 Simon Steinbeiss <simon.steinbeiss@redhat.com> - 46-1
 - New upstream release
 
-* Sat Feb 19 2022 Ondřej Budai <ondrej@budai.cz> - 45-1
+* Fri Feb 18 2022 Ondřej Budai <ondrej@budai.cz> - 45-1
 - New upstream release
 
-* Mon Feb 14 2022 Thomas Lavocat <tlavocat@redhat.com> - 44-1
+* Fri Feb 11 2022 Thomas Lavocat <tlavocat@redhat.com> - 44-1
 - New upstream release
 
-* Mon Feb 07 2022 Thomas Lavocat <tlavocat@redhat.com> - 43-1
+* Wed Jan 26 2022 Thomas Lavocat <tlavocat@redhat.com> - 43-1
 - New upstream release
 
-* Tue Jan 18 2022 Thomas Lavocat <tlavocat@redhat.com> - 42-1
+* Wed Jan 12 2022 Thomas Lavocat <tlavocat@redhat.com> - 42-1
+- New upstream release
+
+* Wed Dec 22 2021 Ondřej Budai <ondrej@budai.cz> - 41-1
 - New upstream release
 
 * Thu Dec 09 2021 Ondřej Budai <ondrej@budai.cz> - 40-1
 - New upstream release
 
-* Fri Oct 15 2021 Achilleas Koutsou <achilleas@redhat.com> - 37-1
+* Wed Nov 24 2021 Chloe Kaubisch <chloe.kaubisch@gmail.com> - 39-1
 - New upstream release
 
-* Fri Oct 15 2021 Achilleas Koutsou <achilleas@redhat.com> - 36-1
+* Fri Nov 12 2021 'Diaa Sami' <'<disami@redhat.com>'> - 38-1
+- New upstream release
+
+* Tue Nov 02 2021 lavocatt - 37-1
+- New upstream release
+
+* Thu Oct 14 2021 Achilleas Koutsou <achilleas@redhat.com> - 36-1
 - New upstream release
 
 * Mon Aug 30 2021 Tom Gundersen <teg@jklm.no> - 33-1
 - New upstream release
 
-* Sun Aug 29 2021 Tom Gundersen <teg@jklm.no> - 32-2
+* Sun Aug 29 2021 Tom Gundersen <teg@jklm.no> - 32-1
 - New upstream release
 
-* Thu Aug 12 2021 Ondřej Budai <ondrej@budai.cz> - 31-1
+* Sun Aug 15 2021 Ondřej Budai <ondrej@budai.cz> - 31-1
+- New upstream release
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 30-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Jul 02 2021 Ondřej Budai <ondrej@budai.cz> - 30-1
+- New upstream release
+
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 29-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 29-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Fri Mar 05 2021 Martin Sehnoutka <msehnout@redhat.com> - 29-1
 - New upstream release
 
 * Sat Feb 20 2021 Martin Sehnoutka <msehnout@redhat.com> - 28-1
 - New upstream release
 
-* Fri Feb 05 2021 Ondrej Budai <obudai@redhat.com> - 27-1
+* Thu Feb 04 2021 Ondrej Budai <obudai@redhat.com> - 27-1
 - New upstream release
 
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 26-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec 17 2020 Ondrej Budai <obudai@redhat.com> - 26-2
+- Fix the compatibility with a new golang-github-azure-storage-blob 0.12
+
 * Thu Dec 17 2020 Ondrej Budai <obudai@redhat.com> - 26-1
 - New upstream release
 
-* Mon Nov 30 2020 Ondrej Budai <obudai@redhat.com> - 25-1
-- New upstream release 25 (rhbz#1883481)
+* Thu Nov 19 2020 Ondrej Budai <obudai@redhat.com> - 25-1
+- New upstream release
 
-* Thu Sep 03 2020 Tom Gundersen <tgunders@redhat.com> - 20.1-1
-- New upstream release 20.1 (rhbz#1872370)
+* Thu Nov 12 2020 Ondrej Budai <obudai@redhat.com> - 24-1
+- New upstream release
 
-* Sun Aug 23 2020 Tom Gundersen <tgunders@redhat.com> - 20-1
-- New upstream release 20 (rhbz#1871184 and rhbz#1871179)
+* Fri Nov 06 2020 Ondrej Budai <obudai@redhat.com> - 23-1
+- New upstream release
 
-* Thu Aug 13 2020 Tom Gundersen <tgunders@redhat.com> - 19-1
-- New upstream release 19 (rhbz#1866015 and rhbz#1866013)
+* Fri Oct 16 2020 Ondrej Budai <obudai@redhat.com> - 22-1
+- New upstream release
 
-* Thu Jul 09 2020 Ondrej Budai <obudai@redhat.com> - 17-1
-- New upstream release 17 (rhbz#1831653)
-- Obsolete lorax-composer in favor of osbuild-composer (rhbz#1836844)
+* Sun Aug 23 2020 Tom Gundersen <teg@jklm.no> - 20-1
+- New upstream release
+
+* Tue Aug 11 2020 Tom Gundersen <teg@jklm.no> - 19-1
+- New upstream release
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Ondrej Budai <obudai@redhat.com> - 18-1
+- New upstream release
+
+* Wed Jul 08 2020 Ondrej Budai <obudai@redhat.com> - 17-1
+- New upstream release
 
 * Mon Jun 29 2020 Ondrej Budai <obudai@redhat.com> - 16-1
-- New upstream release 16 (rhbz#1831653)
+- New upstream release
 
 * Fri Jun 12 2020 Ondrej Budai <obudai@redhat.com> - 15-1
-- New upstream release 15 (rhbz#1831653)
+- New upstream release
 
 * Thu Jun 04 2020 Ondrej Budai <obudai@redhat.com> - 14-1
-- New upstream release 14 (rhbz#1831653)
+- New upstream release
+
+* Fri May 29 2020 Ondrej Budai <obudai@redhat.com> - 13-2
+- Add missing osbuild-ostree dependency
 
 * Thu May 28 2020 Ondrej Budai <obudai@redhat.com> - 13-1
-- New upstream release 13 (rhbz#1831653)
+- New upstream release
 
-* Tue May 05 2020 Ondrej Budai <obudai@redhat.com> - 11-1
-- Initial package (renamed from golang-github-osbuild-composer) (rhbz#1771887)
+* Thu May 14 2020 Ondrej Budai <obudai@redhat.com> - 12-1
+- New upstream release
+
+* Wed Apr 29 2020 Ondrej Budai <obudai@redhat.com> - 11-1
+- New upstream release
+
+* Wed Apr 15 2020 Ondrej Budai <obudai@redhat.com> - 10-1
+- New upstream release
+
+* Wed Apr 01 2020 Ondrej Budai <obudai@redhat.com> - 9-1
+- New upstream release
+
+* Mon Mar 23 2020 Ondrej Budai <obudai@redhat.com> - 8-1
+- Initial package (renamed from golang-github-osbuild-composer)