diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
index ce6e5a542..c9bd468ea 100644
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -224,7 +224,7 @@
     },
     "//private/extensions:java.bzl%java": {
       "general": {
-        "bzlTransitiveDigest": "e6nFSFbKCptaQKHC8MHuMOYJ+yhs7JRNXy9AbVVh9uc=",
+        "bzlTransitiveDigest": "67ID4TeXqkRygJhmKqst9bD0KMeTyQ6mHhI0OJ0GxZw=",
         "usagesDigest": "FtQ3JqB3M2ulaw/D6Kcu09xvvKP9CVM7CVAEBvnjyQI=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
diff --git a/private/extensions/java.bzl b/private/extensions/java.bzl
index 34d331bfa..3d5293fa2 100644
--- a/private/extensions/java.bzl
+++ b/private/extensions/java.bzl
@@ -9,62 +9,65 @@ JAVA_RELEASE_VERSIONS = {
     "temurin21_jdk_ppc64le": "21.0.2",
 }
 
+STATIC_MTREE = """\
+etc/ssl/certs/ time=946684800.0 mode=755 gid=0 uid=0 type=dir
+etc/ssl/certs/java/ time=946684800.0 mode=755 gid=0 uid=0 type=dir
+usr/lib/jvm/ time=946684800.0 mode=755 gid=0 uid=0 type=dir
+# NOTE: cacerts is moved to ./etc/ssl/certs/java/cacerts via the awk mutation hence 
+# a symlink created in the original location for completeness.
+usr/lib/jvm/%s/lib/security/cacerts nlink=0 time=946684800.0 mode=777 gid=0 uid=0 type=link link=/etc/ssl/certs/java/cacerts
+"""
+
+AWK = """\
+{
+    sub("^"  "output/lib/security/cacerts", "./etc/ssl/certs/java/cacerts")
+    sub("^"  "output", "./usr/lib/jvm/%s")
+    sub(/time=[0-9\\.]+/, "time=946684800.0");
+    if ($1 ~ ".*legal/.*" || $1 ~ ".*conf/.*") {    
+        # keep it as 0755
+        # or 0644 if its a file
+        if ($0 ~ ".*type=file.*") {  
+            sub("mode=0755", "mode=0644")
+        } 
+    } else if ($1 ~ ".*\\.jsa") {    
+        sub("mode=0755", "mode=0644")
+    } if ($0 ~ ".*type=dir.*") {  
+        # keep the 0755 permission override
+    } else {
+        sub("mode=0755", "")
+    }
+    # pkg_tar strips the leading ./ so we do too to avoid 
+    # `duplicates of file paths not supported` error
+    sub("^"  "./", "")
+    print
+}
+"""
+
 BUILD_TMPL = """\
 # GENERATED BY temurin_archive.bzl
 load("@distroless//private/pkg:debian_spdx.bzl", "debian_spdx")
 load("@distroless//private/util:merge_providers.bzl", "merge_providers")
+load("@aspect_bazel_lib//lib:tar.bzl", "tar", "mtree_spec")
 load("@rules_pkg//:pkg.bzl", "pkg_tar")
-load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup", "pkg_files", "pkg_attributes", "pkg_mklink_impl")
-
-# all files except bin and cacerts
-pkg_files(
-    name = "_most_files",
-    srcs = glob(
-        ["output/**/*"],
-    ),
-    excludes = ["_executables", "_cacerts"],
-    strip_prefix = "output",
-)
 
-# special rules for bin files to make them executable and other executables
-pkg_files(
-    name = "_executables",
-    srcs = glob(["output/bin/*"]) + ["output/lib/jexec", "output/lib/jspawnhelper"],
-    attributes = pkg_attributes(
-        mode = "0755",
-        user = "root",
-        group = "root",
-    ),
-    strip_prefix = "output",
+SRCS = glob(["output/**/*"])
+mtree_spec(
+    name = "mtree",
+    srcs = SRCS,
 )
 
-# everything that needs to go into the jvm install dir
-pkg_filegroup(
-    name = "_jvm_dir",
-    srcs = ["_executables", "_most_files"],
-    prefix = "/usr/lib/jvm/{name}",
+genrule(
+    name = "mutate_mtree",
+    srcs = [":mtree"],
+    tools = ["static.mtree", "mutate.awk"],
+    outs = ["out.mtree"],
+    cmd = "cat $(execpath :static.mtree) >$@ && awk -f $(execpath :mutate.awk) <$< >>$@ && sort -o $@ $@"
 )
 
-# cacerts rules
-pkg_files(
-    name = "_cacerts",
-    srcs = glob(
-        ["output/lib/security/cacerts"],
-    ),
-    renames = {{
-        "output/lib/security/cacerts": "/etc/ssl/certs/java/cacerts",
-    }},
-)
-
-pkg_mklink_impl(
-    name = "_cacerts_link",
-    link_name = "/usr/lib/jvm/{name}/lib/security/cacerts",
-    target = "/etc/ssl/certs/java/cacerts",
-)
-
-pkg_tar(
+tar(
     name = "data",
-    srcs = ["_jvm_dir", "_cacerts", "_cacerts_link"],
+    srcs = SRCS,
+    mtree = "out.mtree"
 )
 
 pkg_tar(
@@ -90,6 +93,7 @@ merge_providers(
 """
 
 def _impl(rctx):
+    name = rctx.attr.name.split("~")[-1]
     rctx.report_progress("Fetching {}".format(rctx.attr.package_name))
     rctx.download_and_extract(
         url = rctx.attr.urls,
@@ -98,6 +102,8 @@ def _impl(rctx):
         stripPrefix = rctx.attr.strip_prefix,
         output = "output",
     )
+    rctx.file("static.mtree", STATIC_MTREE % name)
+    rctx.file("mutate.awk", AWK % name)
     rctx.template(
         "control",
         rctx.attr.control,
@@ -110,7 +116,7 @@ def _impl(rctx):
     rctx.file(
         "BUILD.bazel",
         content = BUILD_TMPL.format(
-            name = rctx.attr.name.split("~")[-1],
+            name = name,
             package_name = rctx.attr.package_name,
             version = rctx.attr.version,
             spdx_id = rctx.attr.name,