6 changed files with 748 additions and 11014 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/osbuild-composer-31.tar.gz
+SOURCES/osbuild-composer-101.tar.gz
--- a/.osbuild-composer.metadata
+++ b/.osbuild-composer.metadata
@ -1 +1 @@
-19802162d8deb87d67389a8bfd6f1fd162d54c7c SOURCES/osbuild-composer-31.tar.gz
+0feb86b5dcd146ce5b87816ae482eb50ed507c16 SOURCES/osbuild-composer-101.tar.gz
--- a/SOURCES/0001-PR-1645-test-image-fix-pipeline-exports-for-v2-manifests.patch
+++ b/SOURCES/0001-PR-1645-test-image-fix-pipeline-exports-for-v2-manifests.patch
@ -1,75 +0,0 @@
 From 85cc7687415a96db017acaf763d53abbc47d993f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
 Date: Mon, 16 Aug 2021 12:56:55 +0200
 Subject: [PATCH] test/image: fix pipeline exports for v2 manifests
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Previously, we just assumed that all test manifests are of version 1, or we
 should export the pipeline named assembler. However, this is no longer true
 in RHEL 8.5 and 9 - they are only manifest v2 and they don't have a pipeline
 named assembler.
 This commit introduces a new way to guess the export name - if the manifest
 is of version 1, we just export the assembler. In the case v2 manifest, the
 last pipeline is exported.
 Signed-off-by: Ondřej Budai <ondrej@budai.cz>
 ---
 cmd/osbuild-image-tests/main_test.go | 32 +++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)
 diff --git a/cmd/osbuild-image-tests/main_test.go b/cmd/osbuild-image-tests/main_test.go
 index f6cbccc9..f73bab3d 100644
 --- a/cmd/osbuild-image-tests/main_test.go
 +++ b/cmd/osbuild-image-tests/main_test.go
@@ -482,6 +482,34 @@ func testImage(t *testing.T, testcase testcaseStruct, imagePath string) {
 	}
 }
 +// guessPipelineToExport return a best-effort guess about which
 +// pipeline should be exported when running osbuild for the testcase
 +//
 +// If this function detects that this is a version 1 manifest, it
 +// always returns "assembler"
 +//
 +// For manifests version 2, the name of the last pipeline is returned.
 +func guessPipelineToExport(rawManifest json.RawMessage) string {
 +	const v1ManifestExportName = "assembler"
 +	var v2Manifest struct {
 +		Version   string `json:"version"`
 +		Pipelines []struct {
 +			Name string `json:"name,omitempty"`
 +		} `json:"pipelines"`
 +	}
 +	err := json.Unmarshal(rawManifest, &v2Manifest)
 +	if err != nil {
 +		// if we cannot unmarshal, let's just assume that it's a version 1 manifest
 +		return v1ManifestExportName
 +	}
 +
 +	if v2Manifest.Version == "2" {
 +		return v2Manifest.Pipelines[len(v2Manifest.Pipelines)-1].Name
 +	}
 +
 +	return v1ManifestExportName
 +}
 +
 // runTestcase builds the pipeline specified in the testcase and then it
 // tests the result
 func runTestcase(t *testing.T, testcase testcaseStruct, store string) {
@@ -494,9 +522,7 @@ func runTestcase(t *testing.T, testcase testcaseStruct, store string) {
 		require.NoError(t, err, "error removing temporary output directory")
 	}()
 -	// NOTE(akoutsou) 1to2t: new v2 manifests name their last pipeline
 -	// "assembler" for compatibility with v1
 -	exports := []string{"assembler"}
 +	exports := []string{guessPipelineToExport(testcase.Manifest)}
 	err = runOsbuild(testcase.Manifest, store, outputDirectory, exports)
 	require.NoError(t, err)
 -- 
 2.31.1
--- a/SOURCES/0002-PR-1638-fix-ami.patch
+++ b/SOURCES/0002-PR-1638-fix-ami.patch
--- a/SOURCES/CVE-2025-30204.patch
+++ b/SOURCES/CVE-2025-30204.patch
@ -0,0 +1,391 @@
 diff --git a/go.mod b/go.mod
 index f571516..d3d329f 100644
 --- a/go.mod
 +++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/getkin/kin-openapi v0.93.0
 	github.com/getsentry/sentry-go v0.26.0
 	github.com/gobwas/glob v0.2.3
 -	github.com/golang-jwt/jwt/v4 v4.5.0
 +	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
 	github.com/gophercloud/gophercloud v1.9.0
@@ -114,7 +114,7 @@ require (
 	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 -	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 +	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/glog v1.1.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 diff --git a/go.sum b/go.sum
 index 5996751..488870b 100644
 --- a/go.sum
 +++ b/go.sum
@@ -251,10 +251,11 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 -github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
 -github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 +github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 +github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 +github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 +github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
 github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
 diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
 index c0a6f69..0fc510a 100644
 --- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
 +++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 )
 +const tokenDelimiter = "."
 +
 type Parser struct {
 	// If populated, only these methods will be considered valid.
 	//
@@ -36,19 +38,21 @@ func NewParser(options ...ParserOption) *Parser {
 	return p
 }
 -// Parse parses, validates, verifies the signature and returns the parsed token.
 -// keyFunc will receive the parsed token and should return the key for validating.
 +// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will
 +// receive the parsed token and should return the key for validating.
 func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
 }
 -// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
 -// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
 -// than the default MapClaims implementation of Claims.
 +// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object
 +// implementing the Claims interface. This provides default values which can be overridden and
 +// allows a caller to use their own type, rather than the default MapClaims implementation of
 +// Claims.
 //
 -// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
 -// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
 -// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
 +// Note: If you provide a custom claim implementation that embeds one of the standard claims (such
 +// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or
 +// b) if you are using a pointer, allocate the proper memory for it before passing in the overall
 +// claims, otherwise you might run into a panic.
 func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
 	token, parts, err := p.ParseUnverified(tokenString, claims)
 	if err != nil {
@@ -85,12 +89,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
 	}
 +	// Perform validation
 +	token.Signature = parts[2]
 +	if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
 +		return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid}
 +	}
 +
 	vErr := &ValidationError{}
 	// Validate Claims
 	if !p.SkipClaimsValidation {
 		if err := token.Claims.Valid(); err != nil {
 -
 			// If the Claims Valid returned an error, check if it is a validation error,
 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
 			if e, ok := err.(*ValidationError); !ok {
@@ -98,22 +107,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 			} else {
 				vErr = e
 			}
 +			return token, vErr
 		}
 	}
 -	// Perform validation
 -	token.Signature = parts[2]
 -	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
 -		vErr.Inner = err
 -		vErr.Errors |= ValidationErrorSignatureInvalid
 -	}
 -
 -	if vErr.valid() {
 -		token.Valid = true
 -		return token, nil
 -	}
 +	// No errors so far, token is valid.
 +	token.Valid = true
 -	return token, vErr
 +	return token, nil
 }
 // ParseUnverified parses the token but doesn't validate the signature.
@@ -123,9 +124,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 // It's only ever useful in cases where you know the signature is valid (because it has
 // been checked previously in the stack) and you want to extract values from it.
 func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
 -	parts = strings.Split(tokenString, ".")
 -	if len(parts) != 3 {
 -		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
 +	var ok bool
 +	parts, ok = splitToken(tokenString)
 +	if !ok {
 +		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
 	}
 	token = &Token{Raw: tokenString}
@@ -175,3 +177,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	return token, parts, nil
 }
 +
 +// splitToken splits a token string into three parts: header, claims, and signature. It will only
 +// return true if the token contains exactly two delimiters and three parts. In all other cases, it
 +// will return nil parts and false.
 +func splitToken(token string) ([]string, bool) {
 +	parts := make([]string, 3)
 +	header, remain, ok := strings.Cut(token, tokenDelimiter)
 +	if !ok {
 +		return nil, false
 +	}
 +	parts[0] = header
 +	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
 +	if !ok {
 +		return nil, false
 +	}
 +	parts[1] = claims
 +	// One more cut to ensure the signature is the last part of the token and there are no more
 +	// delimiters. This avoids an issue where malicious input could contain additional delimiters
 +	// causing unecessary overhead parsing tokens.
 +	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
 +	if unexpected {
 +		return nil, false
 +	}
 +	parts[2] = signature
 +
 +	return parts, true
 +}
 diff --git a/vendor/github.com/golang-jwt/jwt/v5/README.md b/vendor/github.com/golang-jwt/jwt/v5/README.md
 index 964598a..0bb636f 100644
 --- a/vendor/github.com/golang-jwt/jwt/v5/README.md
 +++ b/vendor/github.com/golang-jwt/jwt/v5/README.md
@@ -10,11 +10,11 @@ implementation of [JSON Web
 Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
 Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0)
 -this project adds Go module support, but maintains backwards compatibility with
 +this project adds Go module support, but maintains backward compatibility with
 older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the
 [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version
 v5.0.0 introduces major improvements to the validation of tokens, but is not
 -entirely backwards compatible. 
 +entirely backward compatible. 
 > After the original author of the library suggested migrating the maintenance
 > of `jwt-go`, a dedicated team of open source maintainers decided to clone the
@@ -24,7 +24,7 @@ entirely backwards compatible.
 **SECURITY NOTICE:** Some older versions of Go have a security issue in the
 -crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue
 +crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue
 [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more
 detail.
@@ -32,7 +32,7 @@ detail.
 what you
 expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
 This library attempts to make it easy to do the right thing by requiring key
 -types match the expected alg, but you should take the extra step to verify it in
 +types to match the expected alg, but you should take the extra step to verify it in
 your usage.  See the examples provided.
 ### Supported Go versions
@@ -41,7 +41,7 @@ Our support of Go versions is aligned with Go's [version release
 policy](https://golang.org/doc/devel/release#policy). So we will support a major
 version of Go until there are two newer major releases. We no longer support
 building jwt-go with unsupported Go versions, as these contain security
 -vulnerabilities which will not be fixed.
 +vulnerabilities that will not be fixed.
 ## What the heck is a JWT?
@@ -117,7 +117,7 @@ notable differences:
 This library is considered production ready.  Feedback and feature requests are
 appreciated.  The API should be considered stable.  There should be very few
 -backwards-incompatible changes outside of major version updates (and only with
 +backward-incompatible changes outside of major version updates (and only with
 good reason).
 This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull
@@ -125,8 +125,8 @@ requests will land on `main`.  Periodically, versions will be tagged from
 `main`.  You can find all the releases on [the project releases
 page](https://github.com/golang-jwt/jwt/releases).
 -**BREAKING CHANGES:*** A full list of breaking changes is available in
 -`VERSION_HISTORY.md`.  See `MIGRATION_GUIDE.md` for more information on updating
 +**BREAKING CHANGES:** A full list of breaking changes is available in
 +`VERSION_HISTORY.md`.  See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating
 your code.
 ## Extensions
 diff --git a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
 index b08402c..2740597 100644
 --- a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
 +++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
@@ -2,11 +2,11 @@
 ## Supported Versions
 -As of February 2022 (and until this document is updated), the latest version `v4` is supported.
 +As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`.
 ## Reporting a Vulnerability
 -If you think you found a vulnerability, and even if you are not sure, please report it to jwt-go-security@googlegroups.com or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s).
 +If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s).
 You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem.
 diff --git a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
 index ca85659..c929e4a 100644
 --- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
 +++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
@@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf
 	case *ecdsa.PublicKey:
 		ecdsaKey = k
 	default:
 -		return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType)
 +		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
 	}
 	if len(sig) != 2*m.KeySize {
@@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
 	case *ecdsa.PrivateKey:
 		ecdsaKey = k
 	default:
 -		return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType)
 +		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
 	}
 	// Create the hasher
 diff --git a/vendor/github.com/golang-jwt/jwt/v5/hmac.go b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
 index 96c6272..aca600c 100644
 --- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go
 +++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
@@ -91,7 +91,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa
 func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
 	if keyBytes, ok := key.([]byte); ok {
 		if !m.Hash.Available() {
 -			return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
 +			return nil, ErrHashUnavailable
 		}
 		hasher := hmac.New(m.Hash.New, keyBytes)
@@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte,
 		return hasher.Sum(nil), nil
 	}
 -	return nil, ErrInvalidKeyType
 +	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
 }
 diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go
 index ecf99af..054c7eb 100644
 --- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
 +++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
@@ -8,6 +8,8 @@ import (
 	"strings"
 )
 +const tokenDelimiter = "."
 +
 type Parser struct {
 	// If populated, only these methods will be considered valid.
 	validMethods []string
@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 // It's only ever useful in cases where you know the signature is valid (since it has already
 // been or will be checked elsewhere in the stack) and you want to extract values from it.
 func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
 -	parts = strings.Split(tokenString, ".")
 -	if len(parts) != 3 {
 -		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
 +	var ok bool
 +	parts, ok = splitToken(tokenString)
 +	if !ok {
 +		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
 	}
 	token = &Token{Raw: tokenString}
@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	return token, parts, nil
 }
 +// splitToken splits a token string into three parts: header, claims, and signature. It will only
 +// return true if the token contains exactly two delimiters and three parts. In all other cases, it
 +// will return nil parts and false.
 +func splitToken(token string) ([]string, bool) {
 +	parts := make([]string, 3)
 +	header, remain, ok := strings.Cut(token, tokenDelimiter)
 +	if !ok {
 +		return nil, false
 +	}
 +	parts[0] = header
 +	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
 +	if !ok {
 +		return nil, false
 +	}
 +	parts[1] = claims
 +	// One more cut to ensure the signature is the last part of the token and there are no more
 +	// delimiters. This avoids an issue where malicious input could contain additional delimiters
 +	// causing unecessary overhead parsing tokens.
 +	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
 +	if unexpected {
 +		return nil, false
 +	}
 +	parts[2] = signature
 +
 +	return parts, true
 +}
 +
 // DecodeSegment decodes a JWT specific base64url encoding. This function will
 // take into account whether the [Parser] is configured with additional options,
 // such as [WithStrictDecoding] or [WithPaddingAllowed].
 diff --git a/vendor/github.com/golang-jwt/jwt/v5/token.go b/vendor/github.com/golang-jwt/jwt/v5/token.go
 index 352873a..9c7f4ab 100644
 --- a/vendor/github.com/golang-jwt/jwt/v5/token.go
 +++ b/vendor/github.com/golang-jwt/jwt/v5/token.go
@@ -75,7 +75,7 @@ func (t *Token) SignedString(key interface{}) (string, error) {
 }
 // SigningString generates the signing string.  This is the most expensive part
 -// of the whole deal.  Unless you need this for something special, just go
 +// of the whole deal. Unless you need this for something special, just go
 // straight for the SignedString.
 func (t *Token) SigningString() (string, error) {
 	h, err := json.Marshal(t.Header)
 diff --git a/vendor/modules.txt b/vendor/modules.txt
 index 35d0433..f49c006 100644
 --- a/vendor/modules.txt
 +++ b/vendor/modules.txt
@@ -568,10 +568,10 @@ github.com/gogo/protobuf/proto
 # github.com/golang-jwt/jwt v3.2.2+incompatible
 ## explicit
 github.com/golang-jwt/jwt
 -# github.com/golang-jwt/jwt/v4 v4.5.0
 +# github.com/golang-jwt/jwt/v4 v4.5.2
 ## explicit; go 1.16
 github.com/golang-jwt/jwt/v4
 -# github.com/golang-jwt/jwt/v5 v5.2.0
 +# github.com/golang-jwt/jwt/v5 v5.2.2
 ## explicit; go 1.18
 github.com/golang-jwt/jwt/v5
 # github.com/golang/glog v1.1.2
--- a/SPECS/osbuild-composer.spec
+++ b/SPECS/osbuild-composer.spec
@ -2,9 +2,17 @@
 # Pass --with tests to rpmbuild to override
 %bcond_with tests
 # When --with relax_requires is specified osbuild-composer-tests
 # will require osbuild-composer only by name, excluding version/release
 # This is used internally during nightly pipeline testing!
 %bcond_with relax_requires
 # The minimum required osbuild version
 %global min_osbuild_version 109
 %global goipath         github.com/osbuild/osbuild-composer
-Version:        31
+Version:        101
 %gometa
@ -17,51 +25,37 @@ It is compatible with composer-cli and cockpit-composer clients.
 }
 Name:           osbuild-composer
-Release:        1%{?dist}
+Release:        4%{?dist}
 Summary:        An image building service based on osbuild
-# osbuild-composer doesn't have support for building i686 images
+# osbuild-composer doesn't have support for building i686 and armv7hl images
-# and also RHEL and Fedora has now only limited support for this arch.
+ExcludeArch:    i686 armv7hl
 ExcludeArch:    i686
 # Upstream license specification: Apache-2.0
-License:        ASL 2.0
+License:        Apache-2.0
 URL:            %{gourl}
 Source0:        %{gosource}
-Patch0:         0001-PR-1645-test-image-fix-pipeline-exports-for-v2-manifests.patch
+
-Patch1:         0002-PR-1638-fix-ami.patch
+Patch0:         CVE-2025-30204.patch
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
 BuildRequires:  systemd
 BuildRequires:  krb5-devel
 BuildRequires:  python3-docutils
 BuildRequires:  make
 # Build requirements of 'theproglottis/gpgme' package
 BuildRequires:  gpgme-devel
 BuildRequires:  libassuan-devel
 # Build requirements of 'github.com/containers/storage' package
 BuildRequires:  device-mapper-devel
 %if 0%{?fedora}
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  git
-BuildRequires:  golang(github.com/aws/aws-sdk-go)
+# Build requirements of 'github.com/containers/storage' package
-BuildRequires:  golang(github.com/Azure/azure-sdk-for-go)
+BuildRequires:  btrfs-progs-devel
-BuildRequires:  golang(github.com/Azure/azure-storage-blob-go/azblob)
+# DO NOT REMOVE the BUNDLE_START and BUNDLE_END markers as they are used by 'tools/rpm_spec_add_provides_bundle.sh' to generate the Provides: bundled list
-BuildRequires:  golang(github.com/BurntSushi/toml)
+# BUNDLE_START
-BuildRequires:  golang(github.com/coreos/go-semver/semver)
+# BUNDLE_END
 BuildRequires:  golang(github.com/coreos/go-systemd/activation)
 BuildRequires:  golang(github.com/deepmap/oapi-codegen/pkg/codegen)
 BuildRequires:  golang(github.com/go-chi/chi)
 BuildRequires:  golang(github.com/google/uuid)
 BuildRequires:  golang(github.com/jackc/pgx/v4)
 BuildRequires:  golang(github.com/julienschmidt/httprouter)
 BuildRequires:  golang(github.com/getkin/kin-openapi/openapi3)
 BuildRequires:  golang(github.com/kolo/xmlrpc)
 BuildRequires:  golang(github.com/labstack/echo/v4)
 BuildRequires:  golang(github.com/gobwas/glob)
 BuildRequires:  golang(github.com/google/go-cmp/cmp)
 BuildRequires:  golang(github.com/gophercloud/gophercloud)
 BuildRequires:  golang(github.com/prometheus/client_golang/prometheus/promhttp)
 BuildRequires:  golang(github.com/stretchr/testify/assert)
 BuildRequires:  golang(github.com/ubccr/kerby)
 BuildRequires:  golang(github.com/vmware/govmomi)
 BuildRequires:  golang(cloud.google.com/go)
 BuildRequires:  golang(gopkg.in/ini.v1)
 %endif
 Requires: %{name}-core = %{version}-%{release}
@ -70,24 +64,6 @@ Requires: systemd
 Provides: weldr
 %if 0%{?rhel}
 Obsoletes: lorax-composer <= 29
 Conflicts: lorax-composer
 %endif
 # Remove when we stop releasing into Fedora 35
 %if 0%{?fedora} >= 34
 # lorax 34.3 is the first one without the composer subpackage
 Obsoletes: lorax-composer < 34.3
 %endif
 # remove in F34
 Obsoletes: golang-github-osbuild-composer < %{version}-%{release}
 Provides:  golang-github-osbuild-composer = %{version}-%{release}
 # remove when F34 is EOL
 Obsoletes: osbuild-composer-koji <= 23
 %description
 %{common_description}
@ -95,19 +71,11 @@ Obsoletes: osbuild-composer-koji <= 23
 %if 0%{?rhel}
 %forgeautosetup -p1
 %else
-%goprep
+%goprep -k
 %endif
 %if 0%{?fedora} >= 34
 # Fedora 34 and newer ships a newer version of github.com/getkin/kin-openapi
 # package which has a different API than the older ones. Let's make the auto-
 # generated code compatible by applying some sed magic.
 #
 # Remove when F33 is EOL
 sed -i "s/openapi3.Swagger/openapi3.T/;s/openapi3.NewSwaggerLoader().LoadSwaggerFromData/openapi3.NewLoader().LoadFromData/" internal/cloudapi/openapi.gen.go
 %endif
 %build
 export GOFLAGS="-buildmode=pie"
 %if 0%{?rhel}
 GO_BUILD_PATH=$PWD/_build
 install -m 0755 -vd $(dirname $GO_BUILD_PATH/src/%{goipath})
@ -116,11 +84,31 @@ cd $GO_BUILD_PATH/src/%{goipath}
 install -m 0755 -vd _bin
 export PATH=$PWD/_bin${PATH:+:$PATH}
 export GOPATH=$GO_BUILD_PATH:%{gopath}
-export GOFLAGS=-mod=vendor
+export GOFLAGS+=" -mod=vendor"
 %endif
 %if 0%{?fedora}
 # Fedora disables Go modules by default, but we want to use them.
 # Undefine the macro which disables it to use the default behavior.
 %undefine gomodulesmode
 %endif
-%gobuild -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
+# btrfs-progs-devel is not available on RHEL
-%gobuild -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
+%if 0%{?rhel}
 GOTAGS="exclude_graphdriver_btrfs"
 %endif
 # Set the commit hash so that composer can report what source version
 # was used to build it. This has to be set explicitly when calling rpmbuild,
 # this script will not attempt to automatically discover it.
 %if %{?commit:1}0
 export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/common.GitRev=%{commit}'"
 %endif
 export LDFLAGS="${LDFLAGS} -X 'github.com/osbuild/osbuild-composer/internal/common.RpmVersion=%{name}-%{?epoch:%epoch:}%{version}-%{release}.%{_arch}'"
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-composer %{goipath}/cmd/osbuild-composer
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-worker %{goipath}/cmd/osbuild-worker
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-manager %{goipath}/cmd/osbuild-jobsite-manager
 %gobuild ${GOTAGS:+-tags=$GOTAGS} -o _bin/osbuild-jobsite-builder %{goipath}/cmd/osbuild-jobsite-builder
 make man
@ -139,101 +127,149 @@ export GOPATH=%{gobuilddir}:%{gopath}
 TEST_LDFLAGS="${LDFLAGS:-} -B 0x$(od -N 20 -An -tx1 -w100 /dev/urandom | tr -d ' ')"
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-cli-tests %{goipath}/cmd/osbuild-composer-cli-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-cli-tests %{goipath}/cmd/osbuild-composer-cli-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-dnf-json-tests %{goipath}/cmd/osbuild-dnf-json-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-dnf-json-tests %{goipath}/cmd/osbuild-dnf-json-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-weldr-tests %{goipath}/internal/client/
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-weldr-tests %{goipath}/internal/client/
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-image-tests %{goipath}/cmd/osbuild-image-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-image-tests %{goipath}/cmd/osbuild-image-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-auth-tests %{goipath}/cmd/osbuild-auth-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-auth-tests %{goipath}/cmd/osbuild-auth-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-koji-tests %{goipath}/cmd/osbuild-koji-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-koji-tests %{goipath}/cmd/osbuild-koji-tests
-go test -c -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-dbjobqueue-tests %{goipath}/cmd/osbuild-composer-dbjobqueue-tests
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-composer-dbjobqueue-tests %{goipath}/cmd/osbuild-composer-dbjobqueue-tests
-go build -tags=integration -ldflags="${TEST_LDFLAGS}" -o _bin/cloud-cleaner %{goipath}/cmd/cloud-cleaner
+go test -c -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-service-maintenance-tests %{goipath}/cmd/osbuild-service-maintenance
 go build -tags="integration${GOTAGS:+,$GOTAGS}" -ldflags="${TEST_LDFLAGS}" -o _bin/osbuild-mock-openid-provider %{goipath}/cmd/osbuild-mock-openid-provider
 %endif
 %install
-install -m 0755 -vd                                             %{buildroot}%{_libexecdir}/osbuild-composer
+install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/osbuild-composer
-install -m 0755 -vp _bin/osbuild-composer                       %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp _bin/osbuild-composer                          %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp _bin/osbuild-worker                         %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp _bin/osbuild-worker                            %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vp dnf-json                                    %{buildroot}%{_libexecdir}/osbuild-composer/
+install -m 0755 -vp _bin/osbuild-jobsite-manager                   %{buildroot}%{_libexecdir}/osbuild-composer/
 install -m 0755 -vp _bin/osbuild-jobsite-builder                   %{buildroot}%{_libexecdir}/osbuild-composer/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/osbuild-composer/repositories
+# Only include repositories for the distribution and release
-install -m 0644 -vp repositories/*                              %{buildroot}%{_datadir}/osbuild-composer/repositories/
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/osbuild-composer/repositories
 # CentOS also defines rhel so we check for centos first
 %if 0%{?centos}
-install -m 0755 -vd                                             %{buildroot}%{_unitdir}
+# CentOS 9 supports building for CentOS 8 and later
-install -m 0644 -vp distribution/*.{service,socket}             %{buildroot}%{_unitdir}/
+%if 0%{?centos} >= 9
 install -m 0644 -vp repositories/centos-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
 %else
 # CentOS 8 only supports building for CentOS 8
 install -m 0644 -vp repositories/centos-%{centos}*                 %{buildroot}%{_datadir}/osbuild-composer/repositories/
 install -m 0644 -vp repositories/centos-stream-%{centos}*          %{buildroot}%{_datadir}/osbuild-composer/repositories/
-install -m 0755 -vd                                             %{buildroot}%{_sysusersdir}
+%endif
-install -m 0644 -vp distribution/osbuild-composer.conf          %{buildroot}%{_sysusersdir}/
+%else
 %if 0%{?rhel}
 # RHEL 9 supports building for RHEL 8 and later
 %if 0%{?rhel} >= 9
 install -m 0644 -vp repositories/rhel-*                            %{buildroot}%{_datadir}/osbuild-composer/repositories/
-install -m 0755 -vd                                             %{buildroot}%{_localstatedir}/cache/osbuild-composer/dnf-cache
+%else
 # RHEL 8 only supports building for 8
 install -m 0644 -vp repositories/rhel-%{rhel}*                     %{buildroot}%{_datadir}/osbuild-composer/repositories/
-install -m 0755 -vd                                             %{buildroot}%{_mandir}/man7
+%endif
-install -m 0644 -vp docs/*.7                                    %{buildroot}%{_mandir}/man7/
+%endif
 %endif
 # Fedora can build for all included fedora releases
 %if 0%{?fedora}
 install -m 0644 -vp repositories/fedora-*                          %{buildroot}%{_datadir}/osbuild-composer/repositories/
 %endif
 install -m 0755 -vd                                                %{buildroot}%{_unitdir}
 install -m 0644 -vp distribution/*.{service,socket}                %{buildroot}%{_unitdir}/
 install -m 0755 -vd                                                %{buildroot}%{_sysusersdir}
 install -m 0644 -vp distribution/osbuild-composer.conf             %{buildroot}%{_sysusersdir}/
 install -m 0755 -vd                                                %{buildroot}%{_localstatedir}/cache/osbuild-composer/dnf-cache
 install -m 0755 -vd                                                %{buildroot}%{_mandir}/man7
 install -m 0644 -vp docs/*.7                                       %{buildroot}%{_mandir}/man7/
 %if %{with tests} || 0%{?rhel}
-install -m 0755 -vd                                             %{buildroot}%{_libexecdir}/osbuild-composer-test
+install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/osbuild-composer-test
-install -m 0755 -vp _bin/osbuild-composer-cli-tests             %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-composer-cli-tests                %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-weldr-tests                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-weldr-tests                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-dnf-json-tests                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-dnf-json-tests                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-image-tests                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-image-tests                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-auth-tests                     %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-auth-tests                        %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-koji-tests                     %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-koji-tests                        %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/osbuild-composer-dbjobqueue-tests      %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-composer-dbjobqueue-tests         %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp _bin/cloud-cleaner                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-service-maintenance-tests         %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/define-compose-url.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp _bin/osbuild-mock-openid-provider              %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/provision.sh                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/define-compose-url.sh                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/gen-certs.sh                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/provision.sh                             %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/gen-ssh.sh                            %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/gen-certs.sh                             %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/image-info                            %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/gen-ssh.sh                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/run-koji-container.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/image-info                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/koji-compose.py                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/run-koji-container.sh                    %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp tools/libvirt_test.sh                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/koji-compose.py                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vd                                             %{buildroot}%{_libexecdir}/tests/osbuild-composer
+install -m 0755 -vp tools/libvirt_test.sh                          %{buildroot}%{_libexecdir}/osbuild-composer-test/
-install -m 0755 -vp test/cases/*                                %{buildroot}%{_libexecdir}/tests/osbuild-composer/
+install -m 0755 -vp tools/s3_test.sh                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/generic_s3_test.sh                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/generic_s3_https_test.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/run-mock-auth-servers.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/set-env-variables.sh                     %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/tests/osbuild-composer
 install -m 0755 -vp test/cases/*.sh                                %{buildroot}%{_libexecdir}/tests/osbuild-composer/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/ansible
+install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/tests/osbuild-composer/api
-install -m 0644 -vp test/data/ansible/*                         %{buildroot}%{_datadir}/tests/osbuild-composer/ansible/
+install -m 0755 -vp test/cases/api/*.sh                            %{buildroot}%{_libexecdir}/tests/osbuild-composer/api/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/azure
+install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/tests/osbuild-composer/api/common
-install -m 0644 -vp test/data/azure/*                           %{buildroot}%{_datadir}/tests/osbuild-composer/azure/
+install -m 0755 -vp test/cases/api/common/*.sh                     %{buildroot}%{_libexecdir}/tests/osbuild-composer/api/common/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/manifests
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/ansible
-install -m 0644 -vp test/data/manifests/*                       %{buildroot}%{_datadir}/tests/osbuild-composer/manifests/
+install -m 0644 -vp test/data/ansible/*                            %{buildroot}%{_datadir}/tests/osbuild-composer/ansible/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/cloud-init
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/azure
-install -m 0644 -vp test/data/cloud-init/*                      %{buildroot}%{_datadir}/tests/osbuild-composer/cloud-init/
+install -m 0644 -vp test/data/azure/*                              %{buildroot}%{_datadir}/tests/osbuild-composer/azure/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/composer
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/manifests
-install -m 0644 -vp test/data/composer/*                        %{buildroot}%{_datadir}/tests/osbuild-composer/composer/
+install -m 0644 -vp test/data/manifests/*                          %{buildroot}%{_datadir}/tests/osbuild-composer/manifests/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/worker
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/cloud-init
-install -m 0644 -vp test/data/worker/*                          %{buildroot}%{_datadir}/tests/osbuild-composer/worker/
+install -m 0644 -vp test/data/cloud-init/*                         %{buildroot}%{_datadir}/tests/osbuild-composer/cloud-init/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/repositories
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/composer
-install -m 0644 -vp test/data/repositories/*                    %{buildroot}%{_datadir}/tests/osbuild-composer/repositories/
+install -m 0644 -vp test/data/composer/*                           %{buildroot}%{_datadir}/tests/osbuild-composer/composer/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/kerberos
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/worker
-install -m 0644 -vp test/data/kerberos/*                        %{buildroot}%{_datadir}/tests/osbuild-composer/kerberos/
+install -m 0644 -vp test/data/worker/*                             %{buildroot}%{_datadir}/tests/osbuild-composer/worker/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/keyring
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/repositories
-install -m 0644 -vp test/data/keyring/id_rsa.pub                %{buildroot}%{_datadir}/tests/osbuild-composer/keyring/
+install -m 0644 -vp test/data/repositories/*                       %{buildroot}%{_datadir}/tests/osbuild-composer/repositories/
 install -m 0600 -vp test/data/keyring/id_rsa                    %{buildroot}%{_datadir}/tests/osbuild-composer/keyring/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/koji
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/kerberos
-install -m 0644 -vp test/data/koji/*                            %{buildroot}%{_datadir}/tests/osbuild-composer/koji/
+install -m 0644 -vp test/data/kerberos/*                           %{buildroot}%{_datadir}/tests/osbuild-composer/kerberos/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/x509
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/keyring
-install -m 0644 -vp test/data/x509/*                            %{buildroot}%{_datadir}/tests/osbuild-composer/x509/
+install -m 0644 -vp test/data/keyring/id_rsa.pub                   %{buildroot}%{_datadir}/tests/osbuild-composer/keyring/
 install -m 0600 -vp test/data/keyring/id_rsa                       %{buildroot}%{_datadir}/tests/osbuild-composer/keyring/
-install -m 0755 -vd                                             %{buildroot}%{_datadir}/tests/osbuild-composer/schemas
+install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/koji
-install -m 0644 -vp internal/jobqueue/dbjobqueue/schemas/*      %{buildroot}%{_datadir}/tests/osbuild-composer/schemas/
+install -m 0644 -vp test/data/koji/*                               %{buildroot}%{_datadir}/tests/osbuild-composer/koji/
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/x509
 install -m 0644 -vp test/data/x509/*                               %{buildroot}%{_datadir}/tests/osbuild-composer/x509/
 install -m 0755 -vd                                                %{buildroot}%{_datadir}/tests/osbuild-composer/schemas
 install -m 0644 -vp pkg/jobqueue/dbjobqueue/schemas/*              %{buildroot}%{_datadir}/tests/osbuild-composer/schemas/
 install -m 0755 -vd                                               %{buildroot}%{_datadir}/tests/osbuild-composer/upgrade8to9
 install -m 0644 -vp test/data/upgrade8to9/*                       %{buildroot}%{_datadir}/tests/osbuild-composer/upgrade8to9/
 %endif
 %check
 export GOFLAGS="-buildmode=pie"
 %if 0%{?rhel}
-export GOFLAGS=-mod=vendor
+export GOFLAGS+=" -mod=vendor -tags=exclude_graphdriver_btrfs"
 export GOPATH=$PWD/_build:%{gopath}
 # cd inside GOPATH, otherwise go with GO111MODULE=off ignores vendor directory
 cd $PWD/_build/src/%{goipath}
@ -243,13 +279,13 @@ cd $PWD/_build/src/%{goipath}
 %endif
 %post
-%systemd_post osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-remote-worker.socket
+%systemd_post osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
 %preun
-%systemd_preun osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-remote-worker.socket
+%systemd_preun osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
 %postun
-%systemd_postun_with_restart osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-remote-worker.socket
+%systemd_postun_with_restart osbuild-composer.service osbuild-composer.socket osbuild-composer-api.socket osbuild-composer-prometheus.socket osbuild-remote-worker.socket
 %files
 %license LICENSE
@ -258,37 +294,43 @@ cd $PWD/_build/src/%{goipath}
 %{_unitdir}/osbuild-composer.service
 %{_unitdir}/osbuild-composer.socket
 %{_unitdir}/osbuild-composer-api.socket
 %{_unitdir}/osbuild-composer-prometheus.socket
 %{_unitdir}/osbuild-local-worker.socket
 %{_unitdir}/osbuild-remote-worker.socket
 %{_sysusersdir}/osbuild-composer.conf
 %package core
 Summary:    The core osbuild-composer binary
 Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
 Provides:   %{name}-dnf-json = %{version}-%{release}
 Obsoletes:  %{name}-dnf-json < %{version}-%{release}
 %description core
 The core osbuild-composer binary. This is suitable both for spawning in containers and by systemd.
 %files core
 %{_libexecdir}/osbuild-composer/osbuild-composer
 %{_libexecdir}/osbuild-composer/dnf-json
 %{_datadir}/osbuild-composer/
 %package worker
 Summary:    The worker for osbuild-composer
 Requires:   systemd
 Requires:   qemu-img
-Requires:   osbuild >= 29
+Requires:   osbuild >= %{min_osbuild_version}
-Requires:   osbuild-ostree >= 29
+Requires:   osbuild-ostree >= %{min_osbuild_version}
-
+Requires:   osbuild-lvm2 >= %{min_osbuild_version}
-# remove in F34
+Requires:   osbuild-luks2 >= %{min_osbuild_version}
-Obsoletes: golang-github-osbuild-composer-worker < %{version}-%{release}
+Requires:   osbuild-depsolve-dnf >= %{min_osbuild_version}
-Provides:  golang-github-osbuild-composer-worker = %{version}-%{release}
+Provides:   %{name}-dnf-json = %{version}-%{release}
 Obsoletes:  %{name}-dnf-json < %{version}-%{release}
 %description worker
 The worker for osbuild-composer
 %files worker
 %{_libexecdir}/osbuild-composer/osbuild-worker
 %{_libexecdir}/osbuild-composer/osbuild-jobsite-manager
 %{_libexecdir}/osbuild-composer/osbuild-jobsite-builder
 %{_unitdir}/osbuild-worker@.service
 %{_unitdir}/osbuild-remote-worker@.service
@ -298,11 +340,13 @@ The worker for osbuild-composer
 %preun worker
 # systemd_preun uses systemctl disable --now which doesn't work well with template services.
 # See https://github.com/systemd/systemd/issues/15620
-# The following lines mimicks its behaviour by running two commands:
+# The following lines mimicks its behaviour by running two commands.
-
+# The scriptlet is supposed to run only when the package is being removed.
-# disable and stop all the worker services
+if [ $1 -eq 0 ] && [ -d /run/systemd/system ]; then
-systemctl --no-reload disable osbuild-worker@.service osbuild-remote-worker@.service
+    # disable and stop all the worker services
-systemctl stop "osbuild-worker@*.service" "osbuild-remote-worker@*.service"
+    systemctl --no-reload disable osbuild-worker@.service osbuild-remote-worker@.service
    systemctl stop "osbuild-worker@*.service" "osbuild-remote-worker@*.service"
 fi
 %postun worker
 # restart all the worker services
@ -312,7 +356,11 @@ systemctl stop "osbuild-worker@*.service" "osbuild-remote-worker@*.service"
 %package tests
 Summary:    Integration tests
 %if %{with relax_requires}
 Requires:   %{name}
 %else
 Requires:   %{name} = %{version}-%{release}
 %endif
 Requires:   composer-cli
 Requires:   createrepo_c
 Requires:   xorriso
@ -340,15 +388,19 @@ Requires:   libvirt-daemon-driver-storage-disk
 Requires:   libvirt-daemon-kvm
 Requires:   qemu-img
 Requires:   qemu-kvm
 Requires:   rpmdevtools
 Requires:   virt-install
 Requires:   expect
 Requires:   python3-lxml
 Requires:   httpd
 Requires:   mod_ssl
 Requires:   openssl
 Requires:   firewalld
 Requires:   podman-plugins
 Requires:   dnf-plugins-core
 Requires:   skopeo
 Requires:   make
 Requires:   python3-pip
 %if 0%{?fedora}
 # koji and ansible are not in RHEL repositories. Depending on them breaks RHEL
 # gating (see OSCI-1541). The test script must enable EPEL and install those
@ -371,6 +423,166 @@ Integration tests to be run on a pristine-dedicated system to test the osbuild-c
 %endif
 %changelog
 * Tue Jun 24 2025 Ondřej Budai <obudai@redhat.com> - 101-4
 - Resolves: RHEL-89279 (CVE-2025-22871)
 * Tue Apr 22 2025 Tomáš Hozza <thozza@redhat.com> - 101-3
 - Resolve RHEL-84643 (CVE-2025-30204)
 * Wed Sep 25 2024 Tomáš Hozza <thozza@redhat.com> - 101-2
 - Rebuilt to fix:
  - CVE-2024-34156
  - CVE-2024-1394
  - RHEL-24303
  - RHEL-57905
 * Mon Feb 26 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 101-1
 - New upstream release
 * Wed Feb 07 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 100-1
 - New upstream release
 * Wed Jan 24 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 99-1
 - New upstream release
 * Wed Jan 10 2024 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 98-1
 - New upstream release
 * Wed Dec 13 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 96-1
 - New upstream release
 * Wed Nov 29 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 95-1
 - New upstream release
 * Wed Nov 15 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 94-1
 - New upstream release
 * Wed Nov 01 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 93-1
 - New upstream release
 * Wed Oct 18 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 92-1
 - New upstream release
 * Wed Oct 04 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 91-1
 - New upstream release
 * Thu Sep 21 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 90-1
 - New upstream release
 * Wed Sep 06 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 89-1
 - New upstream release
 * Thu Aug 24 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 88-1
 - New upstream release
 * Wed Aug 09 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 87-1
 - New upstream release
 * Wed Jul 26 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 86-1
 - New upstream release
 * Fri Jul 14 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 85-1
 - New upstream release
 * Wed Jun 14 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 84-1
 - New upstream release
 * Wed May 17 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 82-1
 - New upstream release
 * Wed Apr 19 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 80-1
 - New upstream release
 * Wed Apr 05 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 79-1
 - New upstream release
 * Wed Mar 08 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 77-1
 - New upstream release
 * Wed Feb 22 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 75-1
 - New upstream release
 * Wed Feb 08 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 74-1
 - New upstream release
 * Wed Jan 25 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 73-1
 - New upstream release
 * Wed Jan 11 2023 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 72-1
 - New upstream release
 * Wed Dec 28 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 71-1
 - New upstream release
 * Wed Dec 14 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 70-1
 - New upstream release
 * Wed Nov 30 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 69-1
 - New upstream release
 * Wed Nov 16 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 68-1
 - New upstream release
 * Wed Nov 02 2022 imagebuilder-bots+imagebuilder-bot@redhat.com <imagebuilder-bot> - 67-1
 - New upstream release
 * Mon Aug 29 2022 Ondřej Budai <ondrej@budai.cz> - 62-1
 - New upstream release
 * Wed Aug 24 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 60-1
 - New upstream release
 * Thu Aug 11 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 59-1
 - New upstream release
 * Thu Jul 28 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 58-1
 - New upstream release
 * Mon Jul 18 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 57-1
 - New upstream release
 * Wed Jun 15 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 55-1
 - New upstream release
 * Wed Jun 01 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 54-1
 - New upstream release
 * Mon May 23 2022 imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com> - 53-1
 - New upstream release
 * Wed May 04 2022 Ondřej Budai <ondrej@budai.cz> - 51-1
 - New upstream release
 * Tue Mar 01 2022 Ondřej Budai <ondrej@budai.cz> - 46-1
 - New upstream release
 * Sat Feb 19 2022 Ondřej Budai <ondrej@budai.cz> - 45-1
 - New upstream release
 * Mon Feb 14 2022 Thomas Lavocat <tlavocat@redhat.com> - 44-1
 - New upstream release
 * Mon Feb 07 2022 Thomas Lavocat <tlavocat@redhat.com> - 43-1
 - New upstream release
 * Tue Jan 18 2022 Thomas Lavocat <tlavocat@redhat.com> - 42-1
 - New upstream release
 * Thu Dec 09 2021 Ondřej Budai <ondrej@budai.cz> - 40-1
 - New upstream release
 * Fri Oct 15 2021 Achilleas Koutsou <achilleas@redhat.com> - 37-1
 - New upstream release
 * Fri Oct 15 2021 Achilleas Koutsou <achilleas@redhat.com> - 36-1
 - New upstream release
 * Mon Aug 30 2021 Tom Gundersen <teg@jklm.no> - 33-1
 - New upstream release
 * Sun Aug 29 2021 Tom Gundersen <teg@jklm.no> - 32-2
 - New upstream release
 * Thu Aug 12 2021 Ondřej Budai <ondrej@budai.cz> - 31-1
 - New upstream release
`@ -1 +1 @@`
	`SOURCES/osbuild-composer-31.tar.gz`	`SOURCES/osbuild-composer-101.tar.gz`
`@ -1 +1 @@`
	`19802162d8deb87d67389a8bfd6f1fd162d54c7c SOURCES/osbuild-composer-31.tar.gz`	`0feb86b5dcd146ce5b87816ae482eb50ed507c16 SOURCES/osbuild-composer-101.tar.gz`