diff --git a/0001-Eliminate-redundant-and-obsolete-cruft-from-dnf_keyr.patch b/0001-Eliminate-redundant-and-obsolete-cruft-from-dnf_keyr.patch
new file mode 100644
index 0000000..85f2f4f
--- /dev/null
+++ b/0001-Eliminate-redundant-and-obsolete-cruft-from-dnf_keyr.patch
@@ -0,0 +1,55 @@
+From 0d67f44198daa829d947436884e00f2030642136 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 10 May 2023 10:29:58 +0300
+Subject: [PATCH 1/3] Eliminate redundant and obsolete cruft from
+ dnf_keyring_add_public_key()
+
+These APIs have been obsolete for years and now removed in rpm 4.19.
+Luckily the usage here is entirely redundant, rpmKeyringAddKey() checks
+for duplicates and that case is even handled in this code.
+---
+ libdnf/dnf-keyring.cpp | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
+index 550d5ce2..a8fdb993 100644
+--- a/libdnf/libdnf/dnf-keyring.cpp
++++ b/libdnf/libdnf/dnf-keyring.cpp
+@@ -63,7 +63,6 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
+     int rc;
+     gsize len;
+     pgpArmor armor;
+-    pgpDig dig = NULL;
+     rpmPubkey pubkey = NULL;
+     rpmPubkey *subkeys = NULL;
+     int nsubkeys = 0;
+@@ -116,16 +115,7 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
+         goto out;
+     }
+ 
+-    /* does the key exist in the keyring */
+-    dig = rpmPubkeyDig(pubkey);
+-    rc = rpmKeyringLookup(keyring, dig);
+-    if (rc == RPMRC_OK) {
+-        ret = TRUE;
+-        g_debug("%s is already present", filename);
+-        goto out;
+-    }
+-
+-    /* add to rpmdb automatically, without a prompt */
++    /* add to in-memory keyring */
+     rc = rpmKeyringAddKey(keyring, pubkey);
+     if (rc == 1) {
+         ret = TRUE;
+@@ -169,8 +159,6 @@ out:
+         }
+         free(subkeys);
+     }
+-    if (dig != NULL)
+-        pgpFreeDig(dig);
+     return ret;
+ } CATCH_TO_GERROR(FALSE)
+ 
+-- 
+2.41.0.rc1
+
diff --git a/0002-Remove-redundant-and-obsolete-cruft-in-dnf_keyring_c.patch b/0002-Remove-redundant-and-obsolete-cruft-in-dnf_keyring_c.patch
new file mode 100644
index 0000000..64114a5
--- /dev/null
+++ b/0002-Remove-redundant-and-obsolete-cruft-in-dnf_keyring_c.patch
@@ -0,0 +1,96 @@
+From 4572ee7ff49d5ced4c53c5d789571adbdbd119bb Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 10 May 2023 10:34:22 +0300
+Subject: [PATCH 2/3] Remove redundant and obsolete cruft in
+ dnf_keyring_check_untrusted_file()
+
+These APIs have been obsolete for years and now removed in rpm 4.19.
+This was always a rather strange way to go at verifying a package,
+but now also wholly redundant because the signature are already verified
+by rpmcliVerifySignatures().
+---
+ libdnf/dnf-keyring.cpp | 53 ------------------------------------------
+ 1 file changed, 53 deletions(-)
+
+diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
+index a8fdb993..5f6c7d7f 100644
+--- a/libdnf/libdnf/dnf-keyring.cpp
++++ b/libdnf/libdnf/dnf-keyring.cpp
+@@ -238,9 +238,7 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+     FD_t fd = NULL;
+     gboolean ret = FALSE;
+     Header hdr = NULL;
+-    pgpDig dig = NULL;
+     rpmRC rc;
+-    rpmtd td = NULL;
+     rpmts ts = NULL;
+ 
+     char *path = g_strdup(filename);
+@@ -302,51 +300,6 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+         goto out;
+     }
+ 
+-    /* convert and upscale */
+-    headerConvert(hdr, HEADERCONV_RETROFIT_V3);
+-
+-    /* get RSA key */
+-    td = rpmtdNew();
+-    rc = static_cast<rpmRC>(headerGet(hdr, RPMTAG_RSAHEADER, td, HEADERGET_MINMEM));
+-    if (rc != RPMRC_NOTFOUND) {
+-        /* try to read DSA key as a fallback */
+-        rc = static_cast<rpmRC>(headerGet(hdr, RPMTAG_DSAHEADER, td, HEADERGET_MINMEM));
+-    }
+-
+-    /* the package has no signing key */
+-    if (rc != RPMRC_NOTFOUND) {
+-        g_autofree char *package_filename = g_path_get_basename(filename);
+-        ret = FALSE;
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                    "package not signed: %s", package_filename);
+-        goto out;
+-    }
+-
+-    /* make it into a digest */
+-    dig = pgpNewDig();
+-    rc = static_cast<rpmRC>(pgpPrtPkts(static_cast<const uint8_t *>(td->data), td->count, dig, 0));
+-    if (rc != RPMRC_OK) {
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_FILE_INVALID,
+-                    "failed to parse digest header for %s",
+-                    filename);
+-        goto out;
+-    }
+-
+-    /* does the key exist in the keyring */
+-    rc = rpmKeyringLookup(keyring, dig);
+-    if (rc != RPMRC_OK) {
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                    "failed to lookup digest in keyring for %s",
+-                    filename);
+-        goto out;
+-    }
+-
+     /* the package is signed by a key we trust */
+     g_debug("%s has been verified as trusted", filename);
+     ret = TRUE;
+@@ -355,12 +308,6 @@ out:
+ 
+     if (path != NULL)
+         g_free(path);
+-    if (dig != NULL)
+-        pgpFreeDig(dig);
+-    if (td != NULL) {
+-        rpmtdFreeData(td);
+-        rpmtdFree(td);
+-    }
+     if (ts != NULL)
+         rpmtsFree(ts);
+     if (hdr != NULL)
+-- 
+2.41.0.rc1
+
diff --git a/rpm-ostree.spec b/rpm-ostree.spec
index c3eb395..a5d9592 100644
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@@ -4,12 +4,17 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2023.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: LGPLv2+
 URL: https://github.com/coreos/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
 # in the upstream git.  It also contains vendored Rust sources.
 Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
+# These patches are for the bundled libdnf to work with RPM 4.19:
+# https://github.com/rpm-software-management/libdnf/commit/0d67f44198daa829d947436884e00f2030642136
+# https://github.com/rpm-software-management/libdnf/commit/4572ee7ff49d5ced4c53c5d789571adbdbd119bb
+Patch0: 0001-Eliminate-redundant-and-obsolete-cruft-from-dnf_keyr.patch
+Patch1: 0002-Remove-redundant-and-obsolete-cruft-in-dnf_keyring_c.patch
 
 ExclusiveArch: %{rust_arches}
 
@@ -160,7 +165,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 The %{name}-devel package includes the header files for %{name}-libs.
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%autosetup -Sgit -n %{name}-%{version} -p1
 %if 0%{?__isa_bits} == 32
 sed -ie 's,^lto = true,lto = false,' Cargo.toml
 %endif
@@ -241,6 +246,9 @@ $PYTHON autofiles.py > files.devel \
 %files devel -f files.devel
 
 %changelog
+* Thu May 25 2023 Adam Williamson <awilliam@redhat.com> - 2023.4-4
+- Backport libdnf patches to work with rpm-4.19
+
 * Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 2023.4-3
 - Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)