diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index 22491176a5b..e6d9d737033 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -172,9 +172,11 @@ jobs:
           TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
         run: |
           echo "::group::Build"
+          bazel build --host_platform=@rules_nixpkgs_core//platforms:host //image/base:rpmdb
           bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}"
           {
             echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")"
+            echo "rpmdb=$(realpath $(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files //image/base:rpmdb))"
           } | tee -a "$GITHUB_OUTPUT"
           echo "::endgroup::"
 
@@ -192,6 +194,7 @@ jobs:
             ${{ steps.build.outputs.image-dir }}/constellation.efi
             ${{ steps.build.outputs.image-dir }}/constellation.initrd
             ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
+            ${{ steps.build.outputs.rpmdb }}
 
   upload-os-image:
     name: "Upload OS image to CSP"
diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
index 7a0e2936052..a1be235aaad 100644
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@@ -1,5 +1,6 @@
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
 load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
 
 copy_to_directory(
@@ -41,6 +42,10 @@ mkosi_image(
     outs = [
         "image",
         "image.tar",
+        "image-rpmdb.sqlite-wal",
+        "image-rpmdb.sqlite-shm",
+        "image-rpmdb.sqlite",
+        "image-.rpm.lock",
     ],
     extra_trees = [
         "//image:sysroot_tar",
@@ -58,3 +63,21 @@ mkosi_image(
     ],
     visibility = ["//visibility:public"],
 )
+
+pkg_tar(
+    name = "rpmdb",
+    remap_paths = {
+        "/image-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite",
+        "/image-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm",
+        "/image-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal",
+        "/image-.rpm.lock": "/var/lib/rpm/.rpm.lock",
+    },
+    srcs = [
+        "image-rpmdb.sqlite",
+        "image-rpmdb.sqlite-shm",
+        "image-rpmdb.sqlite-wal",
+        "image-.rpm.lock",
+    ],
+    tags = ["manual"],
+    visibility = ["//visibility:public"],
+)
diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf
index 362efdb2583..661e30af09f 100644
--- a/image/base/mkosi.conf
+++ b/image/base/mkosi.conf
@@ -62,11 +62,7 @@ PackageManagerTrees=reposdir:/etc/yum.repos.d
 RemoveFiles=/var/log
 RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
-            /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 RemoveFiles=/etc/issue
 RemoveFiles=/etc/issue.net
-CleanPackageMetadata=true
 Seed=b04a9a33-4559-4af4-8b38-9249cf933229
diff --git a/image/base/mkosi.postinst b/image/base/mkosi.postinst
index 99a2ec0bcb1..be4e667383a 100755
--- a/image/base/mkosi.postinst
+++ b/image/base/mkosi.postinst
@@ -7,3 +7,10 @@ mkdir -p "${BUILDROOT}"/etc/{cni,kubernetes}
 # move issue files away from /etc
 # to allow /run/issue and /run/issue.d to take precedence
 mv "${BUILDROOT}/etc/issue.d" "${BUILDROOT}/usr/lib/issue.d" || true
+
+# generate reproducible package manifest
+mkdir -p "${BUILDROOT}/usr/share/constellation"
+rpm -qa --qf '%{name};%{version};%{license}\n' --dbpath "${BUILDROOT}/var/lib/rpm/" | LC_ALL=C sort | tee "${BUILDROOT}/usr/share/constellation/packagemanifest.txt"
+
+ # copy rpmdb to outputs
+ cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
diff --git a/image/initrd/mkosi.conf b/image/initrd/mkosi.conf
index 38304bdf31e..4709ebfe8a8 100644
--- a/image/initrd/mkosi.conf
+++ b/image/initrd/mkosi.conf
@@ -37,7 +37,5 @@ RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
             /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 CleanPackageMetadata=true
 Seed=b04a9a33-4559-4af4-8b38-9249cf933229
diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf
index 317899e8246..3f3c66d711e 100644
--- a/image/system/mkosi.conf
+++ b/image/system/mkosi.conf
@@ -19,6 +19,4 @@ RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
             /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 CleanPackageMetadata=true