diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index eba38ae0..2fe1aa24 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -28,37 +28,56 @@ variables:
   S3_BUCKET_NAME: "mender"
   S3_BUCKET_PATH: "mender-artifact"
   DOCKER_BUILDKIT: 1
+  DOCKER_PLATFORMS:
+    value: "linux/amd64,linux/arm64"
+    description: "Platforms for building and distributing container images"
 
 test:check-license-source:
   variables:
     LICENSE_HEADERS_IGNORE_FILES_REGEXP: './artifact/keyfactor/\(signer\|signer_test\)\.go'
 
 build:docker:
-  image: docker
+  image: docker:26-cli
   needs: []
   services:
-    - docker:dind
+    - docker:26-dind
   stage: build
+  before_script:
+    - |
+      echo ${CI_REGISTRY_PASSWORD} | \
+        docker login \
+          --username "$CI_REGISTRY_USER" \
+          --password-stdin \
+          "$CI_REGISTRY"
+    - docker buildx create --platform "$DOCKER_PLATFORMS" --name builder --bootstrap --use
   script:
-    - docker build -t $DOCKER_REPOSITORY:pr .
-    - docker save $DOCKER_REPOSITORY:pr > image.tar
-  artifacts:
-    expire_in: 2w
-    paths:
-      - image.tar
+    - |
+      docker buildx build --push \
+        --platform "$DOCKER_PLATFORMS" \
+        --tag "$CI_REGISTRY_IMAGE:$CI_PIPELINE_IID" \
+        .
   tags:
     - gitlab-org-docker
 
-build:make:
-  image: docker
+build:yoctocompat:
+  # Keep golang version aligned with latest yocto release
+  image: golang:1.17.13-bullseye
   needs: []
-  services:
-    - docker:dind
   before_script:
-    - apk add --no-cache make
+    - apt-get update
+    - apt-get install -qy libssl-dev
+  script:
+    - go build
+
+build:make:
+  image: golang:1.22.4
+  needs: []
   stage: build
+  before_script:
+    - apt-get update
+    - apt-get install -qqy libssl-dev
   script:
-    - make build-natives-contained
+    - make build-natives
   artifacts:
     expire_in: 2w
     paths:
@@ -74,20 +93,17 @@ build:make:
 
 build:coverage:
   stage: build
-  image: docker
+  image: golang:1.22.4
   needs: []
-  services:
-    - docker:dind
   before_script:
-    - apk add --no-cache make
-    - make instrument-binary-contained
+    - apt-get update
+    - apt-get install -qqy libssl-dev
   script:
-    - make build-contained
-    - mv mender-artifact mender-artifact-linux-coverage
+    - make build BUILDFLAGS='-cover'
   artifacts:
     expire_in: 2w
     paths:
-      - mender-artifact-linux-coverage
+      - mender-artifact
 
 test:smoketests:mac:
   stage: test
@@ -114,13 +130,12 @@ test:smoketests:mac:
 
 test:smoketests:linux:
   stage: test
-  # Keep golang version aligned with latest yocto release
-  image: golang:1.17-buster
+  image: golang:1.22.4
   needs:
     - job: build:make
       artifacts: true
   before_script:
-    - apt-get update && apt-get install -q -y make liblzma-dev libssl-dev
+    - apt-get update && apt-get install -q -y make libssl-dev
     - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh --setup
     - export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-linux
   script:
@@ -135,13 +150,11 @@ test:smoketests:linux:
     - ./mender-artifact-linux read test-rfs.mender
     - ./mender-artifact-linux validate test-rfs.mender
     - ./tests/test_compressions/test_supported_compressions.sh
-    # QA-507: lock mender-artifact to OpenSSL 1.1
-    - ldd ./mender-artifact-linux | grep libssl.so.1.1
     - make build
 
 test:coverage:linux:
   stage: test
-  image: debian:buster-slim
+  image: golang:1.22.4
   needs:
     - job: build:coverage
       artifacts: true
@@ -149,16 +162,13 @@ test:coverage:linux:
     COVERAGE_FILE: coverage-linux-pkcs.txt
   before_script:
     - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh --setup
-    - export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-linux-coverage
+    - COVERDIR=$(mktemp -d /tmp/cover-XXXX)
+    - export GOCOVERDIR=${COVERDIR}
+    - export TEST_MENDER_ARTIFACT_PATH=./mender-artifact
   script:
     - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh
   after_script:
-    - set -- /tmp/coverage-artifact*.out
-    - head -n 1 $1 > ${COVERAGE_FILE}
-    - |
-      for cover in $@; do
-        tail -n +2 $cover >> ${COVERAGE_FILE}
-      done
+    - go tool covdata textfmt -i ${COVERDIR} -o ${COVERAGE_FILE}
   artifacts:
     expire_in: 2w
     untracked: true
@@ -260,6 +270,36 @@ publish:s3:
   only:
     - /^(master|[0-9]+\.[0-9]+\.x)$/
 
+publish:docker:
+  stage: publish
+  rules:
+    - if: '$CI_COMMIT_TAG'
+    - if: '$CI_COMMIT_BRANCH == "master"'
+    - when: manual # Fallback; allow manual trigger
+      allow_failure: true
+  image:
+    name: "quay.io/skopeo/stable:v1.15"
+    # https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#override-the-entrypoint-of-an-image
+    entrypoint: [""]
+  before_script:
+    - |
+      echo ${CI_REGISTRY_PASSWORD} | \
+        skopeo login \
+          --username "$CI_REGISTRY_USER" \
+          --password-stdin \
+          "$CI_REGISTRY"
+    - |
+      echo ${DOCKER_HUB_PASSWORD} | \
+        skopeo login \
+          --username "$DOCKER_HUB_USERNAME" \
+          --password-stdin \
+          docker.io
+  script:
+    - |
+      skopeo copy --multi-arch all \
+      "docker://${CI_REGISTRY_IMAGE}:${CI_PIPELINE_IID}" \
+      "docker://docker.io/mendersoftware/mender-artifact:${CI_COMMIT_REF_NAME}"
+
 generate-qa-trigger:
   image: python:alpine
   stage: trigger_prep
diff --git a/Dockerfile b/Dockerfile
index 6e27bc65..a66dbb82 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,10 @@
-# Keep golang version aligned with latest yocto release
-FROM golang:1.17.13-bullseye as builder
-RUN mkdir -p /go/src/github.com/mendersoftware/mender-artifact
-WORKDIR /go/src/github.com/mendersoftware/mender-artifact
-ADD ./ .
-RUN make get-build-deps && \
-    make build && \
-    make install
-ENTRYPOINT [ "/go/bin/mender-artifact" ]
+FROM golang:1.22.4 as builder-deb
+WORKDIR /build
+COPY . .
+RUN apt update && apt install -qy libssl-dev && \
+    make build
+
+FROM debian:12.5-slim
+COPY --from=builder-deb /build/mender-artifact /usr/bin/mender-artifact
+RUN apt update && apt install -qy openssl
+ENTRYPOINT ["/usr/bin/mender-artifact"]
diff --git a/Makefile b/Makefile
index 35623942..89d9641b 100644
--- a/Makefile
+++ b/Makefile
@@ -26,8 +26,9 @@ VERSION = $(shell git describe --tags --dirty --exact-match 2>/dev/null || git r
 GO_LDFLAGS = \
 	-ldflags "-X github.com/mendersoftware/mender-artifact/cli.Version=$(VERSION)"
 
+BUILDFLAGS ?= -trimpath
 ifeq ($(V),1)
-BUILDV = -v
+BUILDFLAGS += -v
 endif
 
 TAGS ?=
@@ -36,7 +37,7 @@ ifneq ($(GOOS),linux)
 endif
 
 build:
-	$(GO) build $(GO_LDFLAGS) $(BUILDV) -tags '$(TAGS)'
+	$(GO) build $(GO_LDFLAGS) $(BUILDFLAGS) -tags '$(TAGS)'
 
 PLATFORMS := darwin linux windows
 
@@ -68,13 +69,13 @@ build-natives: build-native-linux build-native-mac build-native-windows
 build-contained:
 	rm -f mender-artifact && \
 	image_id=$$(docker build -f Dockerfile -q .) && \
-	docker run --rm --entrypoint "/bin/sh" -v $(shell pwd):/binary $$image_id -c "cp /go/bin/mender-artifact /binary" && \
+	docker run --rm --entrypoint "/bin/sh" -v $(shell pwd):/binary $$image_id -c "cp /usr/bin/mender-artifact /binary" && \
 	docker image rm $$image_id
 
 build-natives-contained:
 	rm -f mender-artifact-darwin mender-artifact-linux mender-artifact-windows.exe && \
 	image_id=$$(docker build -f Dockerfile.binaries -q .) && \
-	docker run --rm --entrypoint "/bin/sh" -v $(shell pwd):/binary $$image_id -c "cp /go/bin/mender-artifact* /binary" && \
+	docker run --rm --entrypoint "/bin/sh" -v $(shell pwd):/binary $$image_id -c "cp /usr/bin/mender-artifact* /binary" && \
 	docker image rm $$image_id
 
 install: