diff --git a/.buildkite/integration.pipeline.yml b/.buildkite/integration.pipeline.yml
index f3de81d4eac..e4f09c24735 100644
--- a/.buildkite/integration.pipeline.yml
+++ b/.buildkite/integration.pipeline.yml
@@ -118,6 +118,36 @@ steps:
           imagePrefix: "core-ubuntu-2204-aarch64"
           diskSizeGb: 200
 
+      - label: "Packaging: Containers linux/amd64 FIPS"
+        key: packaging-containers-x86-64-fips
+        env:
+          PACKAGES: "docker"
+          PLATFORMS: "linux/amd64"
+          FIPS: "true"
+        command: ".buildkite/scripts/steps/integration-package.sh"
+        artifact_paths:
+          - build/distributions/**
+        agents:
+          provider: "gcp"
+          machineType: "n2-standard-8"
+          diskSizeGb: 200
+
+      - label: "Packaging: Containers linux/arm64 FIPS"
+        key: packaging-containers-arm64-fips
+        env:
+          PACKAGES: "docker"
+          PLATFORMS: "linux/arm64"
+          FIPS: "true"
+        command: |
+          .buildkite/scripts/steps/integration-package.sh
+        artifact_paths:
+          - build/distributions/**
+        agents:
+          provider: "aws"
+          instanceType: "c6g.4xlarge"
+          imagePrefix: "core-ubuntu-2204-aarch64"
+          diskSizeGb: 200
+
   - label: "Serverless integration test"
     key: "serverless-integration-tests"
     depends_on:
diff --git a/.buildkite/pipeline.elastic-agent-binary-dra.yml b/.buildkite/pipeline.elastic-agent-binary-dra.yml
index 02bbffe3d07..ea3cfd762e4 100644
--- a/.buildkite/pipeline.elastic-agent-binary-dra.yml
+++ b/.buildkite/pipeline.elastic-agent-binary-dra.yml
@@ -25,7 +25,21 @@ steps:
       env:
         DRA_WORKFLOW: "snapshot"
         PLATFORMS: "linux/amd64 windows/amd64 darwin/amd64"
-    
+
+    - label: ":package: linux/amd64 FIPS Elastic-Agent Core Snapshot"
+      commands:
+        - .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-snapshot-x86-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "gcp"
+        machineType: "c2-standard-16"
+      env:
+        DRA_WORKFLOW: "snapshot"
+        PLATFORMS: "linux/amd64"
+        FIPS: "true"
+
     - label: ":package: linux/arm64 darwin/arm64 Elastic-Agent Core Snapshot"
       commands:
         - .buildkite/scripts/steps/build-agent-core.sh
@@ -40,6 +54,20 @@ steps:
         DRA_WORKFLOW: "snapshot"
         PLATFORMS: "linux/arm64 darwin/arm64"
 
+    - label: ":package: linux/arm64 FIPS Elastic-Agent Core Snapshot"
+      commands:
+        - .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-snapshot-arm-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "aws"
+        instanceType: "c6g.4xlarge"
+        imagePrefix: "core-ubuntu-2204-aarch64"
+      env:
+        DRA_WORKFLOW: "snapshot"
+        PLATFORMS: "linux/arm64"
+        FIPS: "true"
     - wait
 
     - label: ":hammer: DRA Publish Elastic-Agent Core Snapshot"
@@ -86,6 +114,21 @@ steps:
         DRA_WORKFLOW: "staging"
         PLATFORMS: "linux/amd64 windows/amd64 darwin/amd64"
 
+    - label: ":package: linux/amd64 FIPS Elastic-Agent Core staging"
+      commands: |
+        source .buildkite/scripts/version_qualifier.sh
+        .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-staging-x86-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "gcp"
+        machineType: "c2-standard-16"
+      env:
+        DRA_WORKFLOW: "staging"
+        PLATFORMS: "linux/amd64"
+        FIPS: "true"
+
     - label: ":package: linux/arm64 darwin/arm64 Elastic-Agent Core staging"
       commands: |
         source .buildkite/scripts/version_qualifier.sh
@@ -101,6 +144,22 @@ steps:
         DRA_WORKFLOW: "dra-core-staging"
         PLATFORMS: "linux/arm64 darwin/arm64"
 
+    - label: ":package: linux/arm64 FIPS Elastic-Agent Core staging"
+      commands: |
+        source .buildkite/scripts/version_qualifier.sh
+        .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-staging-arm-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "aws"
+        instanceType: "c6g.4xlarge"
+        imagePrefix: "core-ubuntu-2204-aarch64"
+      env:
+        DRA_WORKFLOW: "dra-core-staging"
+        PLATFORMS: "linux/arm64"
+        FIPS: "true"
+
     - wait
 
     - label: ":hammer: DRA Publish Elastic-Agent Core staging"
diff --git a/dev-tools/mage/build.go b/dev-tools/mage/build.go
index 92da55273b1..c5d879a6510 100644
--- a/dev-tools/mage/build.go
+++ b/dev-tools/mage/build.go
@@ -18,6 +18,8 @@ import (
 	"github.com/magefile/mage/sh"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
+
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 )
 
 // BuildArgs are the arguments used for the "build" target and they define how
@@ -73,6 +75,7 @@ func DefaultBuildArgs() BuildArgs {
 	args := BuildArgs{
 		Name: BeatName,
 		CGO:  build.Default.CgoEnabled,
+		Env:  map[string]string{},
 		Vars: map[string]string{
 			elasticAgentModulePath + "/version.buildTime": "{{ date }}",
 			elasticAgentModulePath + "/version.commit":    "{{ commit }}",
@@ -88,8 +91,16 @@ func DefaultBuildArgs() BuildArgs {
 	}
 
 	if FIPSBuild {
-		args.ExtraFlags = append(args.ExtraFlags, "-tags=requirefips")
-		args.CGO = true
+
+		fipsConfig := packaging.Settings().FIPS
+
+		for _, tag := range fipsConfig.Compile.Tags {
+			args.ExtraFlags = append(args.ExtraFlags, "-tags="+tag)
+		}
+		args.CGO = args.CGO || fipsConfig.Compile.CGO
+		for varName, value := range fipsConfig.Compile.Env {
+			args.Env[varName] = value
+		}
 	}
 
 	if DevBuild {
@@ -191,11 +202,6 @@ func Build(params BuildArgs) error {
 		cgoEnabled = "1"
 	}
 
-	if FIPSBuild {
-		cgoEnabled = "1"
-		env["GOEXPERIMENT"] = "systemcrypto"
-	}
-
 	env["CGO_ENABLED"] = cgoEnabled
 
 	// Spec
diff --git a/dev-tools/mage/checksums.go b/dev-tools/mage/checksums.go
index d4fbfc55808..7d57c204a87 100644
--- a/dev-tools/mage/checksums.go
+++ b/dev-tools/mage/checksums.go
@@ -9,7 +9,6 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/magefile/mage/mg"
 	"github.com/otiai10/copy"
@@ -41,23 +40,36 @@ func CopyComponentSpecs(componentName, versionedDropPath string) (string, error)
 	return GetSHA512Hash(targetPath)
 }
 
-// This is a helper function for flattenDependencies that's used when not packaging from a manifest
-func ChecksumsWithoutManifest(versionedFlatPath string, versionedDropPath string, packageVersion string) map[string]string {
-	globExpr := filepath.Join(versionedFlatPath, fmt.Sprintf("*%s*", packageVersion))
-	if mg.Verbose() {
-		log.Printf("Finding files to copy with %s", globExpr)
-	}
-	files, err := filepath.Glob(globExpr)
-	if err != nil {
-		panic(err)
-	}
-	if mg.Verbose() {
-		log.Printf("Validating checksums for %+v", files)
-		log.Printf("--- Copying into %s: %v", versionedDropPath, files)
-	}
-
+// ChecksumsWithoutManifest is a helper function for flattenDependencies that's used when not packaging from a manifest.
+// This function will iterate over the dependencies, resolve *exactly* the package name for each dependency and platform using the passed
+// dependenciesVersion, and it will copy the extracted files contained in the rootDir of each dependency from the versionedFlatPath
+// (a directory containing all the extracted dependencies per platform) to the versionedDropPath (a drop path by platform
+// that will be used to compose the package content)
+// ChecksumsWithoutManifest will accumulate the checksums of each component spec that is copied, and return it to the caller.
+func ChecksumsWithoutManifest(platform string, dependenciesVersion string, versionedFlatPath string, versionedDropPath string, dependencies []packaging.BinarySpec) map[string]string {
 	checksums := make(map[string]string)
-	for _, f := range files {
+
+	for _, dep := range dependencies {
+
+		if dep.PythonWheel {
+			if mg.Verbose() {
+				log.Printf(">>>>>>> Component %s/%s is a Python wheel, skipping", dep.ProjectName, dep.BinaryName)
+			}
+			continue
+		}
+
+		if !dep.SupportsPlatform(platform) {
+			log.Printf(">>>>>>> Component %s/%s does not support platform %s, skipping", dep.ProjectName, dep.BinaryName, platform)
+			continue
+		}
+
+		srcDir := filepath.Join(versionedFlatPath, dep.GetRootDir(dependenciesVersion, platform))
+
+		if mg.Verbose() {
+			log.Printf("Validating checksums for %+v", dep.BinaryName)
+			log.Printf("--- Copying into %s: %v", versionedDropPath, srcDir)
+		}
+
 		options := copy.Options{
 			OnSymlink: func(_ string) copy.SymlinkAction {
 				return copy.Shallow
@@ -65,44 +77,45 @@ func ChecksumsWithoutManifest(versionedFlatPath string, versionedDropPath string
 			Sync: true,
 		}
 		if mg.Verbose() {
-			log.Printf("> prepare to copy %s into %s ", f, versionedDropPath)
+			log.Printf("> prepare to copy %s into %s ", srcDir, versionedDropPath)
 		}
 
-		err = copy.Copy(f, versionedDropPath, options)
+		err := copy.Copy(srcDir, versionedDropPath, options)
 		if err != nil {
-			panic(err)
+			panic(fmt.Errorf("copying dependency %s files from %q to %q: %w", dep.BinaryName, srcDir, versionedDropPath, err))
 		}
 
 		// copy spec file for match
-		specName := filepath.Base(f)
-		idx := strings.Index(specName, "-"+packageVersion)
-		if idx != -1 {
-			specName = specName[:idx]
-		}
 		if mg.Verbose() {
-			log.Printf(">>>> Looking to copy spec file: [%s]", specName)
+			log.Printf(">>>> Looking to copy spec file: [%s]", dep.BinaryName)
 		}
 
-		checksum, err := CopyComponentSpecs(specName, versionedDropPath)
+		checksum, err := CopyComponentSpecs(dep.BinaryName, versionedDropPath)
 		if err != nil {
 			panic(err)
 		}
 
-		checksums[specName+ComponentSpecFileSuffix] = checksum
+		checksums[dep.BinaryName+ComponentSpecFileSuffix] = checksum
 	}
 
 	return checksums
 }
 
-// This is a helper function for flattenDependencies that's used when building from a manifest
-func ChecksumsWithManifest(platform, dependenciesVersion string, versionedFlatPath string, versionedDropPath string, manifestResponse *manifest.Build) map[string]string {
+// ChecksumsWithManifest is a helper function for flattenDependencies that's used when building from a manifest.
+// This function will iterate over the dependencies, resolve the package name for each dependency and platform using the manifest,
+// (there may be some variability there in case the manifest does not include an exact match for the expected filename),
+// and it will copy the extracted files contained in the rootDir of each dependency from the versionedFlatPath
+// (a directory containing all the extracted dependencies per platform) to the versionedDropPath (a drop path by platform
+// that will be used to compose the package content)
+// ChecksumsWithManifest will accumulate the checksums of each component spec that is copied, and return it to the caller.
+func ChecksumsWithManifest(platform string, dependenciesVersion string, versionedFlatPath string, versionedDropPath string, manifestResponse *manifest.Build, dependencies []packaging.BinarySpec) map[string]string {
 	checksums := make(map[string]string)
 	if manifestResponse == nil {
 		return checksums
 	}
 
 	// Iterate over the external binaries that we care about for packaging agent
-	for _, spec := range packaging.ExpectedBinaries {
+	for _, spec := range dependencies {
 
 		if spec.PythonWheel {
 			if mg.Verbose() {
@@ -124,21 +137,13 @@ func ChecksumsWithManifest(platform, dependenciesVersion string, versionedFlatPa
 			continue
 		}
 
+		rootDir := spec.GetRootDir(manifestPackage.ActualVersion, platform)
+
 		// Combine the package name w/ the versioned flat path
-		fullPath := filepath.Join(versionedFlatPath, manifestPackage.Name)
-
-		// Eliminate the file extensions to get the proper directory
-		// name that we need to copy
-		var dirToCopy string
-		if strings.HasSuffix(fullPath, ".tar.gz") {
-			dirToCopy = fullPath[:strings.LastIndex(fullPath, ".tar.gz")]
-		} else if strings.HasSuffix(fullPath, ".zip") {
-			dirToCopy = fullPath[:strings.LastIndex(fullPath, ".zip")]
-		} else {
-			dirToCopy = fullPath
-		}
+		fullPath := filepath.Join(versionedFlatPath, rootDir)
+
 		if mg.Verbose() {
-			log.Printf(">>>>>>> Calculated directory to copy: [%s]", dirToCopy)
+			log.Printf(">>>>>>> Calculated directory to copy: [%s]", fullPath)
 		}
 
 		// Set copy options
@@ -149,11 +154,11 @@ func ChecksumsWithManifest(platform, dependenciesVersion string, versionedFlatPa
 			Sync: true,
 		}
 		if mg.Verbose() {
-			log.Printf("> prepare to copy %s into %s ", dirToCopy, versionedDropPath)
+			log.Printf("> prepare to copy %s into %s ", fullPath, versionedDropPath)
 		}
 
 		// Do the copy
-		err = copy.Copy(dirToCopy, versionedDropPath, options)
+		err = copy.Copy(fullPath, versionedDropPath, options)
 		if err != nil {
 			panic(err)
 		}
diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go
index c7340490d41..8c4e70d150e 100644
--- a/dev-tools/mage/crossbuild.go
+++ b/dev-tools/mage/crossbuild.go
@@ -30,11 +30,11 @@ const defaultCrossBuildTarget = "golangCrossBuild"
 var Platforms = BuildPlatforms.Defaults()
 
 // SelectedPackageTypes is the list of package types. If empty, all packages types
-// are considered to be selected (see isPackageTypeSelected).
+// are considered to be selected (see IsPackageTypeSelected).
 var SelectedPackageTypes []PackageType
 
 // SelectedDockerVariants is the list of docker variants. If empty, all docker variants
-// are considered to be selected (see isDockerVariantSelected).
+// are considered to be selected (see IsDockerVariantSelected).
 var SelectedDockerVariants []DockerVariant
 
 func init() {
diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go
index 8bc7498d9f5..627c665bbcb 100644
--- a/dev-tools/mage/dockerbuilder.go
+++ b/dev-tools/mage/dockerbuilder.go
@@ -227,9 +227,7 @@ func (b *dockerBuilder) dockerBuild() (string, []string, error) {
 	if b.Snapshot {
 		mainTag = mainTag + "-SNAPSHOT"
 	}
-	if b.FIPS {
-		mainTag = mainTag + "-fips"
-	}
+
 	if repository := b.ExtraVars["repository"]; repository != "" {
 		mainTag = fmt.Sprintf("%s/%s", repository, mainTag)
 	}
diff --git a/dev-tools/mage/manifest/manifest.go b/dev-tools/mage/manifest/manifest.go
index 8557e7bd2bc..7c33f08e8b3 100644
--- a/dev-tools/mage/manifest/manifest.go
+++ b/dev-tools/mage/manifest/manifest.go
@@ -126,7 +126,7 @@ func DownloadManifest(ctx context.Context, manifest string) (Build, error) {
 
 // DownloadComponents is going to download a set of components from the given manifest into the destination
 // dropPath folder in order to later use that folder for packaging
-func DownloadComponents(ctx context.Context, manifest string, platforms []string, dropPath string) error {
+func DownloadComponents(ctx context.Context, expectedBinaries []packaging.BinarySpec, manifest string, platforms []string, dropPath string) error {
 	manifestResponse, err := DownloadManifest(ctx, manifest)
 	if err != nil {
 		return fmt.Errorf("failed to download remote manifest file %w", err)
@@ -145,7 +145,7 @@ func DownloadComponents(ctx context.Context, manifest string, platforms []string
 
 	errGrp, downloadsCtx := errgroup.WithContext(ctx)
 	// for project, pkgs := range expectedProjectPkgs() {
-	for _, spec := range packaging.ExpectedBinaries {
+	for _, spec := range expectedBinaries {
 		for _, platform := range platforms {
 			targetPath := filepath.Join(dropPath)
 			err := os.MkdirAll(targetPath, 0755)
@@ -187,8 +187,9 @@ func DownloadComponents(ctx context.Context, manifest string, platforms []string
 }
 
 type ResolvedPackage struct {
-	Name string
-	URLs []string
+	Name          string
+	ActualVersion string
+	URLs          []string
 }
 
 func ResolveManifestPackage(project Project, spec packaging.BinarySpec, dependencyVersion string, platform string) (*ResolvedPackage, error) {
@@ -206,24 +207,29 @@ func ResolveManifestPackage(project Project, spec packaging.BinarySpec, dependen
 		}
 
 		return &ResolvedPackage{
-			Name: packageName,
-			URLs: []string{exactMatch.URL, exactMatch.ShaURL, exactMatch.AscURL},
+			Name:          packageName,
+			ActualVersion: dependencyVersion,
+			URLs:          []string{exactMatch.URL, exactMatch.ShaURL, exactMatch.AscURL},
 		}, nil
 	}
 
 	// If we didn't find it, it may be an Independent Agent Release, where
 	// the opted-in projects will have a patch version one higher than
 	// the rest of the projects, so we "relax" the version constraint
+	return resolveManifestPackageUsingRelaxedVersion(project, spec, dependencyVersion, platform)
+}
+
+func resolveManifestPackageUsingRelaxedVersion(project Project, spec packaging.BinarySpec, dependencyVersion string, platform string) (*ResolvedPackage, error) {
+	// start with the rendered package name
+	packageName := spec.GetPackageName(dependencyVersion, platform)
 
-	// Find the original version in the filename
+	// Find the original version in the rendered filename
 	versionIndex := strings.Index(packageName, dependencyVersion)
 	if versionIndex == -1 {
 		return nil, fmt.Errorf("no exact match and filename %q does not seem to contain dependencyVersion %q to try a fallback", packageName, dependencyVersion)
 	}
 
-	// TODO move relaxVersion to the version package so we can rewrite the version like so
-	//parseVersion, _ := version.ParseVersion(dependencyVersion)
-	//parseVersion.GetRelaxedPatchRegexp()
+	// obtain a regexp from the exact version string that allows for some flexibility on patch version, prerelease and build metadata tokens
 	relaxedVersion, err := relaxVersion(dependencyVersion)
 	if err != nil {
 		return nil, fmt.Errorf("relaxing dependencyVersion %q: %w", dependencyVersion, err)
@@ -235,7 +241,7 @@ func ResolveManifestPackage(project Project, spec packaging.BinarySpec, dependen
 
 	// locate the original version in the filename and substitute the relaxed version regexp, quoting everything around that
 	relaxedPackageName := regexp.QuoteMeta(packageName[:versionIndex])
-	relaxedPackageName += relaxedVersion
+	relaxedPackageName += `(?P<version>` + relaxedVersion + `)`
 	relaxedPackageName += regexp.QuoteMeta(packageName[versionIndex+len(dependencyVersion):])
 
 	if mg.Verbose() {
@@ -251,18 +257,19 @@ func ResolveManifestPackage(project Project, spec packaging.BinarySpec, dependen
 		if mg.Verbose() {
 			log.Printf(">>>>>>>>>>> Evaluating filename %s", pkgName)
 		}
-		if relaxedPackageNameRegexp.MatchString(pkgName) {
+		if submatches := relaxedPackageNameRegexp.FindStringSubmatch(pkgName); len(submatches) > 0 {
 			if mg.Verbose() {
 				log.Printf(">>>>>>>>>>> Found matching packageName for [%s, %s]: %s", project.Branch, project.CommitHash, pkgName)
 			}
 			return &ResolvedPackage{
-				Name: pkgName,
-				URLs: []string{pkg.URL, pkg.ShaURL, pkg.AscURL},
+				Name:          pkgName,
+				ActualVersion: submatches[1],
+				URLs:          []string{pkg.URL, pkg.ShaURL, pkg.AscURL},
 			}, nil
 		}
 	}
 
-	return nil, fmt.Errorf("package [%s] not found in project manifest at %s", packageName, project.ExternalArtifactsManifestURL)
+	return nil, fmt.Errorf("package [%s] not found in project manifest at %s using relaxed version %q", packageName, project.ExternalArtifactsManifestURL, relaxedPackageName)
 }
 
 // versionRegexp is taken from https://semver.org/ (see the FAQ section/Is there a suggested regular expression (RegEx) to check a SemVer string?)
@@ -303,12 +310,12 @@ func DownloadPackage(ctx context.Context, downloadUrl string, target string) err
 	}
 	valid := false
 	for _, manifestHost := range AllowedManifestHosts {
-		if manifestHost == parsedURL.Host {
+		if manifestHost == parsedURL.Hostname() {
 			valid = true
 		}
 	}
 	if !valid {
-		log.Printf("Not allowed %s, valid ones are %+v", parsedURL.Host, AllowedManifestHosts)
+		log.Printf("Not allowed %s, valid ones are %+v", parsedURL.Hostname(), AllowedManifestHosts)
 		return errorNotAllowedManifestURL
 	}
 	cleanUrl := fmt.Sprintf("https://%s%s", parsedURL.Host, parsedURL.Path)
diff --git a/dev-tools/mage/manifest/manifest_test.go b/dev-tools/mage/manifest/manifest_test.go
index 0d971edf69b..76a0d53cd2e 100644
--- a/dev-tools/mage/manifest/manifest_test.go
+++ b/dev-tools/mage/manifest/manifest_test.go
@@ -138,7 +138,7 @@ func TestResolveManifestPackage(t *testing.T) {
 			projects := manifestJson.Projects
 
 			// Verify the component name is in the list of expected packages.
-			spec, ok := findBinarySpec(tc.binary)
+			spec, ok := findBinarySpec(t, tc.binary)
 			assert.True(t, ok)
 
 			if !spec.SupportsPlatform(tc.platform) {
@@ -158,8 +158,11 @@ func TestResolveManifestPackage(t *testing.T) {
 	}
 }
 
-func findBinarySpec(name string) (packaging.BinarySpec, bool) {
-	for _, spec := range packaging.ExpectedBinaries {
+func findBinarySpec(t *testing.T, name string) (packaging.BinarySpec, bool) {
+	components, err := packaging.Components()
+	require.NoError(t, err, "error loading components from packages.yml")
+
+	for _, spec := range components {
 		if spec.BinaryName == name {
 			return spec, true
 		}
diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go
index ed93e86344e..2103305e48d 100644
--- a/dev-tools/mage/pkg.go
+++ b/dev-tools/mage/pkg.go
@@ -34,6 +34,15 @@ func Package() error {
 	// platforms := updateWithDarwinUniversal(Platforms)
 	platforms := Platforms
 
+	if mg.Verbose() {
+		debugSelectedPackageSpecsWithPlatform := make([]string, 0, len(Packages))
+		for _, p := range Packages {
+			debugSelectedPackageSpecsWithPlatform = append(debugSelectedPackageSpecsWithPlatform, fmt.Sprintf("spec %s on %s/%s", p.Spec.Name, p.OS, p.Arch))
+		}
+
+		log.Printf("Packaging for platforms %v, packages %v", platforms, debugSelectedPackageSpecsWithPlatform)
+	}
+
 	tasks := make(map[string][]interface{})
 	for _, target := range platforms {
 		for _, pkg := range Packages {
@@ -41,13 +50,19 @@ func Package() error {
 				continue
 			}
 
+			// Checks if this package is compatible with the FIPS settings
+			if pkg.Spec.FIPS != FIPSBuild {
+				log.Printf("Skipping %s/%s package type because FIPS flag doesn't match [pkg=%v, build=%v]", pkg.Spec.Name, pkg.OS, pkg.Spec.FIPS, FIPSBuild)
+				continue
+			}
+
 			for _, pkgType := range pkg.Types {
-				if !isPackageTypeSelected(pkgType) {
+				if !IsPackageTypeSelected(pkgType) {
 					log.Printf("Skipping %s package type because it is not selected", pkgType)
 					continue
 				}
 
-				if pkgType == Docker && !isDockerVariantSelected(pkg.Spec.DockerVariant) {
+				if pkgType == Docker && !IsDockerVariantSelected(pkg.Spec.DockerVariant) {
 					log.Printf("Skipping %s docker variant type because it is not selected", pkg.Spec.DockerVariant)
 					continue
 				}
@@ -80,7 +95,6 @@ func Package() error {
 				spec.OS = target.GOOS()
 				spec.Arch = packageArch
 				spec.Snapshot = Snapshot
-				spec.FIPS = FIPSBuild
 				spec.evalContext = map[string]interface{}{
 					"GOOS":          target.GOOS(),
 					"GOARCH":        target.GOARCH(),
@@ -100,6 +114,10 @@ func Package() error {
 
 				spec = spec.Evaluate()
 
+				if mg.Verbose() {
+					log.Printf("Adding task for packaging %s on %s/%s", spec.Name, target.GOOS(), target.Arch())
+				}
+
 				tasks[target.GOOS()+"-"+target.Arch()] = append(tasks[target.GOOS()+"-"+target.Arch()], packageBuilder{target, spec, pkgType}.Build)
 			}
 		}
@@ -112,9 +130,9 @@ func Package() error {
 	return nil
 }
 
-// isPackageTypeSelected returns true if SelectedPackageTypes is empty or if
+// IsPackageTypeSelected returns true if SelectedPackageTypes is empty or if
 // pkgType is present on SelectedPackageTypes. It returns false otherwise.
-func isPackageTypeSelected(pkgType PackageType) bool {
+func IsPackageTypeSelected(pkgType PackageType) bool {
 	if len(SelectedPackageTypes) == 0 {
 		return true
 	}
@@ -127,9 +145,9 @@ func isPackageTypeSelected(pkgType PackageType) bool {
 	return false
 }
 
-// isDockerVariantSelected returns true if SelectedDockerVariants is empty or if
+// IsDockerVariantSelected returns true if SelectedDockerVariants is empty or if
 // docVariant is present on SelectedDockerVariants. It returns false otherwise.
-func isDockerVariantSelected(docVariant DockerVariant) bool {
+func IsDockerVariantSelected(docVariant DockerVariant) bool {
 	if len(SelectedDockerVariants) == 0 {
 		return true
 	}
@@ -248,10 +266,6 @@ func TestPackages(options ...TestPackagesOption) error {
 		args = append(args, "-root-owner")
 	}
 
-	if FIPSBuild {
-		args = append(args, "-fips")
-	}
-
 	args = append(args, "-files", MustExpand("{{.PWD}}/build/distributions/*"))
 
 	if out, err := goTest(args...); err != nil {
diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
index 81aef4444ab..3cca0b06848 100644
--- a/dev-tools/mage/pkgtypes.go
+++ b/dev-tools/mage/pkgtypes.go
@@ -29,6 +29,7 @@ import (
 	"gopkg.in/yaml.v3"
 
 	"github.com/elastic/elastic-agent/dev-tools/mage/pkgcommon"
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 )
 
 const (
@@ -40,13 +41,13 @@ const (
 	packageStagingDir = "build/package"
 
 	// defaultBinaryName specifies the output file for zip and tar.gz.
-	defaultBinaryName = "{{.Name}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}{{if .FIPS}}-fips{{end}}"
+	defaultBinaryName = "{{.Name}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}"
 
 	// defaultRootDir is the default name of the root directory contained inside of zip and
 	// tar.gz packages.
 	// NOTE: This uses .BeatName instead of .Name because we wanted the internal
 	// directory to not include "-oss".
-	defaultRootDir = "{{.BeatName}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}{{if .FIPS}}-fips{{end}}"
+	defaultRootDir = "{{.BeatName}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}"
 
 	componentConfigMode os.FileMode = 0600
 
@@ -107,6 +108,7 @@ type PackageSpec struct {
 	OutputFile        string                 `yaml:"output_file,omitempty"` // Optional
 	ExtraVars         map[string]string      `yaml:"extra_vars,omitempty"`  // Optional
 	ExtraTags         []string               `yaml:"extra_tags,omitempty"`  // Optional
+	Components        []packaging.BinarySpec `yaml:"components"`            // Optional: Components required for this package
 
 	evalContext            map[string]interface{}
 	packageDir             string
@@ -428,6 +430,7 @@ func (s PackageSpec) Evaluate(args ...map[string]interface{}) PackageSpec {
 		s.packageDir = filepath.Clean(mustExpand(s.packageDir))
 	}
 	s.evalContext["PackageDir"] = s.packageDir
+	s.evalContext["fips"] = s.FIPS
 
 	evaluatedFiles := make(map[string]PackageFile, len(s.Files))
 	for target, f := range s.Files {
diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
index ab09281e015..bd3e824275a 100644
--- a/dev-tools/mage/settings.go
+++ b/dev-tools/mage/settings.go
@@ -337,7 +337,7 @@ func AgentPackageVersion() (string, error) {
 	return BeatQualifiedVersion()
 }
 
-func PackageManifest() (string, error) {
+func PackageManifest(fips bool) (string, error) {
 
 	packageVersion, err := AgentPackageVersion()
 	if err != nil {
@@ -359,14 +359,15 @@ func PackageManifest() (string, error) {
 		return "", fmt.Errorf("retrieving agent flavors: %w", err)
 	}
 
-	return GeneratePackageManifest(BeatName, packageVersion, Snapshot, hash, commitHashShort, registry)
+	return GeneratePackageManifest(BeatName, packageVersion, Snapshot, hash, commitHashShort, fips, registry)
 }
 
-func GeneratePackageManifest(beatName, packageVersion string, snapshot bool, fullHash, shortHash string, flavorsRegistry map[string][]string) (string, error) {
+func GeneratePackageManifest(beatName, packageVersion string, snapshot bool, fullHash, shortHash string, fips bool, flavorsRegistry map[string][]string) (string, error) {
 	m := v1.NewManifest()
 	m.Package.Version = packageVersion
 	m.Package.Snapshot = snapshot
 	m.Package.Hash = fullHash
+	m.Package.Fips = fips
 
 	versionedHomePath := path.Join("data", fmt.Sprintf("%s-%s", beatName, shortHash))
 	m.Package.VersionedHome = versionedHomePath
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index e537dad6cd2..9c7ac30449a 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -1,9 +1,207 @@
 ---
 
-# This file contains the package specifications for both Community Beats and
-# Official Beats. The shared section contains YAML anchors that are used to
-# define common parts of the package in order to not repeat ourselves.
+# This file contains the package specifications for Elastic Agent
 
+# List all the available platforms
+platforms: &all-platforms
+  - &linux-amd64
+    os: linux
+    arch: x86_64
+  - &linux-arm64
+    os: linux
+    arch: arm64
+  - &windows-amd64
+    os: windows
+    arch: x86_64
+  - &darwin-amd64
+    os: darwin
+    arch: x86_64
+  - &darwin-arm64
+    os: darwin
+    arch: aarch64
+
+# List all the package type constants (see dev-tools/mage/pkgcommon/pkgcommon-types.go)
+packageTypes: &all-package-types
+  - &pkg-type-rpm
+      1 # RPM
+  - &pkg-type-deb
+      2 # Deb
+  - &pkg-type-zip
+      3 # zip
+  - &pkg-type-targz
+      4 # tar.gz
+  - &pkg-type-docker
+      5 # docker
+
+# Settings section contains general compiling and packaging settings
+settings:
+  fips:
+    compile:
+      cgo: true
+      env:
+        GOEXPERIMENT: systemcrypto
+      tags:
+        - requirefips
+      platforms:
+        - *linux-amd64
+        - *linux-arm64
+
+# List *all* the components available for packaging in elastic-agent
+components:
+  # general template for new components (all attributes are mandatory)
+  #  - &comp-<anchor name>
+  #    projectName: <project name under manifest>
+  #    packageName: <template representing the name of the archive to download/extract>
+  #    binaryName: <binary name>
+  #    rootDir: <template representing directory from the archive root where the binary is located>
+  #    fips: <boolean indicating if this component is FIPS compliant>
+  #    platforms:
+  #      - <platform, use anchors for platforms above>
+  #    pythonWheel: true # true if it's a package that is not platform specific
+  #    packageTypes: *all-package-types # package types it should be included in
+  - &comp-agentbeat
+    projectName: beats
+    packageName: agentbeat-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: agentbeat-{{.Version}}-{{.Platform}}
+    binaryName: agentbeat
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-apm_server
+    projectName: apm-server
+    packageName: apm-server-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: apm-server-{{.Version}}-{{.Platform}}
+    binaryName: apm-server
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+      - *windows-amd64
+      - *darwin-amd64
+    packageTypes: *all-package-types
+  - &comp-cloudbeat
+    projectName: cloudbeat
+    packageName: cloudbeat-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: cloudbeat-{{.Version}}-{{.Platform}}
+    binaryName: cloudbeat
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-connectors
+    projectName: connectors
+    packageName: connectors-{{.Version}}.zip
+    # FIXME: connectors use only <major>.<minor>.<patch> in the root directory name so the definition should be something
+    # using the beat_version or similar
+    # We don't support that yet, so we are defining a rootDir that will error out if rendered. This is not a problem since
+    # we don't extract/manipulate the archive during packaging, it has its own special handling in the 'service' docker image
+    rootDir: elasticsearch_connectors-{{beat_version}}
+    binaryName: connectors
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    pythonWheel: true
+    packageTypes: *all-package-types
+  - &comp-endpoint
+    projectName: endpoint-dev
+    packageName: endpoint-security-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: endpoint-security-{{.Version}}-{{.Platform}}
+    binaryName: endpoint-security
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-fleet-server
+    projectName: fleet-server
+    packageName: fleet-server-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: fleet-server-{{.Version}}-{{.Platform}}
+    binaryName: fleet-server
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-pf-elastic-collector
+    projectName: prodfiler
+    packageName: pf-elastic-collector-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: pf-elastic-collector-{{.Version}}-{{.Platform}}
+    binaryName: pf-elastic-collector
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-pf-elastic-symbolizer
+    projectName: prodfiler
+    packageName: pf-elastic-symbolizer-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: pf-elastic-symbolizer-{{.Version}}-{{.Platform}}
+    binaryName: pf-elastic-symbolizer
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-pf-host-agent
+    projectName: prodfiler
+    packageName: pf-host-agent-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: pf-host-agent-{{.Version}}-{{.Platform}}
+    binaryName: pf-host-agent
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  # Elastic Agent core component, defined here because it's a dependency when packaging using elastic-agent DRA
+  - &comp-elastic-agent-core
+    projectName: elastic-agent-core
+    packageName: elastic-agent-core-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: elastic-agent-core-{{.Version}}-{{.Platform}}
+    binaryName: elastic-agent
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-agentbeat-fips
+    projectName: beats
+    packageName: agentbeat-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: agentbeat-{{.Version}}-{{.Platform}}
+    binaryName: agentbeat
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-apm_server-fips
+    projectName: apm-server
+    packageName: apm-server-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: apm-server-fips-{{.Version}}-{{.Platform}}
+    binaryName: apm-server
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-fleet-server-fips
+    projectName: fleet-server
+    packageName: fleet-server-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: fleet-server-fips-{{.Version}}-{{.Platform}}
+    binaryName: fleet-server
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  # Elastic Agent core component (FIPS-compliant version), defined here because it's a dependency when packaging using elastic-agent DRA
+  - &comp-elastic-agent-core-fips
+    projectName: elastic-agent-core
+    packageName: elastic-agent-core-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: elastic-agent-core-{{.Version}}-{{.Platform}}
+    binaryName: elastic-agent
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+# The shared section contains YAML anchors that are used to
+# define common parts of the package in order to not repeat ourselves.
 shared:
   - &common
     name: '{{.BeatName}}'
@@ -16,7 +214,40 @@ shared:
     url: '{{.BeatURL}}'
     description: '{{.BeatDescription}}'
 
+  - &common_fips
+    name: '{{.BeatName}}-fips'
+    service_name: '{{.BeatServiceName}}'
+    os: '{{.GOOS}}'
+    arch: '{{.PackageArch}}'
+    vendor: '{{.BeatVendor}}'
+    version: '{{ agent_package_version }}'
+    fips: true
+    license: '{{.BeatLicense}}'
+    url: '{{.BeatURL}}'
+    description: '{{.BeatDescription}}'
+
   # agent specific
+
+  # components included in elastic-agent package specs defined before components support in this YAML
+  - &elastic_agent_components
+    components:
+      - *comp-agentbeat
+      - *comp-apm_server
+      - *comp-cloudbeat
+      - *comp-connectors
+      - *comp-endpoint
+      - *comp-fleet-server
+      - *comp-pf-elastic-collector
+      - *comp-pf-elastic-symbolizer
+      - *comp-pf-host-agent
+
+  # components included in FIPS-compliant elastic-agent package specs
+  - &elastic_agent_fips_components
+    components:
+      - *comp-agentbeat-fips
+      - *comp-apm_server-fips
+      - *comp-fleet-server-fips
+
   # Deb/RPM spec for community beats.
   - &deb_rpm_agent_spec
     <<: *common
@@ -79,7 +310,7 @@ shared:
       /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{agent_package_version}}{{snapshot_suffix}}-{{ commit_short }}/manifest.yaml:
         mode: 0644
         content: >
-          {{ manifest }}
+          {{ manifest .fips }}
 
   - &linux_otel_files
     'otelcol':
@@ -124,7 +355,7 @@ shared:
     'manifest.yaml':
       mode: 0644
       content: >
-        {{ manifest }}
+        {{ manifest .fips }}
 
   - &agent_binary_files
     '{{.BeatName}}{{.BinaryExt}}':
@@ -170,7 +401,7 @@ shared:
     <<: *agent_darwin_app_bundle_files
     <<: *agent_binary_common_files
 
-  - &agent_components
+  - &agent_unpacked_components_files
     'data/{{.BeatName}}-{{ commit_short }}/components':
       source: '{{.AgentDropPath}}/{{.GOOS}}-{{.AgentArchName}}.tar.gz/'
       mode: 0755
@@ -178,7 +409,7 @@ shared:
       skip_on_missing: true
 
   # Binary package spec (tar.gz for linux) for community beats.
-  - &agent_binary_spec_no_components
+  - &agent_binary_spec_no_component_files
     <<: *common
     files:
       <<: *agent_binary_files
@@ -186,21 +417,30 @@ shared:
 
   - &agent_binary_spec
     <<: *common
+    <<: *elastic_agent_components
     files:
       <<: *agent_binary_files
       <<: *linux_otel_files
-      <<: *agent_components
+      <<: *agent_unpacked_components_files
 
+  - &agent_binary_fips_spec
+    <<: *common_fips
+    <<: *elastic_agent_fips_components
+    files:
+      <<: *agent_binary_files
+      <<: *agent_unpacked_components_files
 
   - &agent_darwin_binary_spec
     <<: *common
+    <<: *elastic_agent_components
     files:
       <<: *agent_darwin_binary_files
-      <<: *agent_components
+      <<: *agent_unpacked_components_files
 
   # Binary package spec (zip for windows) for community beats.
   - &agent_windows_binary_spec
     <<: *common
+    <<: *elastic_agent_components
     files:
       <<: *agent_binary_files
       'data/{{.BeatName}}-{{ commit_short }}/components':
@@ -241,11 +481,17 @@ shared:
     docker_variant: 'wolfi'
     extra_vars:
       from: '--platform=linux/amd64 cgr.dev/chainguard/wolfi-base'
+
   - &docker_wolfi_arm_spec
     docker_variant: 'wolfi'
     extra_vars:
       from: '--platform=linux/arm64 cgr.dev/chainguard/wolfi-base'
 
+  - &docker_fips_spec
+    docker_variant: 'basic'
+    extra_vars:
+      from: 'docker.elastic.co/wolfi/chainguard-base-fips:latest'
+
   - &docker_elastic_spec
     extra_vars:
       repository: 'docker.elastic.co/elastic-agent'
@@ -275,6 +521,27 @@ shared:
         source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
         mode: 0755
 
+  - &agent_docker_fips_spec
+    <<: *agent_binary_fips_spec
+    extra_vars:
+      dockerfile: 'Dockerfile.elastic-agent.tmpl'
+      docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
+      user: '{{ .BeatName }}'
+      linux_capabilities: ''
+      beats_install_path: "install"
+    files:
+      'elastic-agent.yml':
+        source: 'elastic-agent.docker.yml'
+        mode: 0600
+        config: true
+      '.elastic-agent.active.commit':
+        content: >
+          {{ commit }}
+        mode: 0644
+      'hints.inputs.d':
+        source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
+        mode: 0755
+
   # cloud build to beats-ci repository
   - &agent_docker_cloud_spec
     docker_variant: 'cloud'
@@ -291,6 +558,21 @@ shared:
         source: '{{.AgentDropPath}}/archives/{{.GOOS}}-{{.AgentArchName}}.tar.gz/agentbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz'
         mode: 0755
 
+  - &agent_docker_cloud_fips_spec
+    docker_variant: 'cloud'
+    extra_vars:
+      repository: 'docker.elastic.co/beats-ci'
+    files:
+      'data/cloud_downloads/filebeat.sh':
+        source: '{{ elastic_beats_dir }}/dev-tools/packaging/files/linux/filebeat.sh'
+        mode: 0755
+      'data/cloud_downloads/metricbeat.sh':
+        source: '{{ elastic_beats_dir }}/dev-tools/packaging/files/linux/metricbeat.sh'
+        mode: 0755
+      'data/cloud_downloads/agentbeat-fips-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz':
+        source: '{{.AgentDropPath}}/archives/{{.GOOS}}-{{.AgentArchName}}.tar.gz/agentbeat-fips-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz'
+        mode: 0755
+
   # service build is based on previous cloud variant
   - &agent_docker_service_spec
     docker_variant: 'service'
@@ -308,7 +590,7 @@ shared:
         mode: 0644
 
   - &agent_docker_edot_spec
-    <<: *agent_binary_spec_no_components
+    <<: *agent_binary_spec_no_component_files
     docker_variant: 'elastic-otel-collector'
     name: 'elastic-otel-collector'
     extra_vars:
@@ -340,7 +622,7 @@ shared:
     name: 'elastic-otel-collector-wolfi'
 
   - &agent_docker_slim_spec
-    <<: *agent_binary_spec_no_components
+    <<: *agent_binary_spec_no_component_files
     docker_variant: 'slim'
     extra_vars:
       dockerfile: 'Dockerfile.elastic-agent.tmpl'
@@ -584,115 +866,6 @@ shared:
         source: '{{ repo.RootDir }}/dev-tools/licenses/ELASTIC-LICENSE-2.0.txt'
         mode: 0644
 
-platforms: &all-platforms
-  - &linux-amd64
-    os: linux
-    arch: x86_64
-  - &linux-arm64
-    os: linux
-    arch: arm64
-  - &windows-amd64
-    os: windows
-    arch: x86_64
-  - &darwin-amd64
-    os: darwin
-    arch: x86_64
-  - &darwin-arm64
-    os: darwin
-    arch: aarch64
-
-packageTypes: &all-package-types
-  - &pkg-type-rpm
-    1 # RPM
-  - &pkg-type-deb
-    2 # Deb
-  - &pkg-type-zip
-    3 # zip
-  - &pkg-type-targz
-    4 # tar.gz
-  - &pkg-type-docker
-    5 # docker
-
-components:
-  # general template for new components
-#  - &comp-<anchor name>
-#    projectName: <project name under manifest>
-#    packageName: <template representing the name of the archive to download/extract>
-#    binaryName: <binary name>
-#    platforms:
-#      - <platform, use anchors for platforms above>
-#    pythonWheel: true # true if it's a package that is not platform specific
-#    packageTypes: *all-package-types # package types it should be included in
-  - &comp-agentbeat
-    projectName: beats
-    packageName: agentbeat-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: agentbeat
-    platforms: *all-platforms
-    packageTypes: *all-package-types
-  - &comp-apm_server
-    projectName: apm-server
-    packageName: apm-server-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: apm-server
-    platforms:
-      - *linux-amd64
-      - *linux-arm64
-      - *windows-amd64
-      - *darwin-amd64
-    packageTypes: *all-package-types
-  - &comp-cloudbeat
-    projectName: cloudbeat
-    packageName: cloudbeat-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: cloudbeat
-    platforms:
-      - *linux-amd64
-      - *linux-arm64
-    packageTypes: *all-package-types
-  - &comp-connectors
-    projectName: connectors
-    packageName: connectors-{{.Version}}.zip
-    binaryName: connectors
-    platforms:
-      - *linux-amd64
-      - *linux-arm64
-    pythonWheel: true
-    packageTypes: *all-package-types
-  - &comp-endpoint
-    projectName: endpoint-dev
-    packageName: endpoint-security-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: endpoint-security
-    platforms: *all-platforms
-    packageTypes: *all-package-types
-  - &comp-fleet-server
-    projectName: fleet-server
-    packageName: fleet-server-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: fleet-server
-    platforms: *all-platforms
-    packageTypes: *all-package-types
-  - &comp-pf-elastic-collector
-    projectName: prodfiler
-    packageName: pf-elastic-collector-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: pf-elastic-collector
-    platforms:
-      - *linux-amd64
-      - *linux-arm64
-    packageTypes: *all-package-types
-  - &comp-pf-elastic-collector
-    projectName: prodfiler
-    packageName: pf-elastic-symbolizer-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: pf-elastic-symbolizer
-    platforms:
-      - *linux-amd64
-      - *linux-arm64
-    packageTypes: *all-package-types
-  - &comp-pf-host-agent
-    projectName: prodfiler
-    packageName: pf-host-agent-{{.Version}}-{{.Platform}}.{{.Ext}}
-    binaryName: pf-host-agent
-    platforms:
-      - *linux-amd64
-      - *linux-arm64
-    packageTypes: *all-package-types
-
 # specs is a list of named packaging "flavors".
 specs:
   # Community Beats
@@ -1362,6 +1535,71 @@ specs:
             symlink: true
             mode: 0755
 
+    ######## Start FIPS Specs ########
+    - os: linux
+      types: [tgz]
+      spec:
+        <<: *agent_binary_fips_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}
+            symlink: true
+            mode: 0755
+
+    - os: linux
+      arch: amd64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *docker_builder_spec
+        <<: *agent_docker_fips_spec
+        <<: *docker_elastic_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+    - os: linux
+      arch: arm64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *docker_builder_arm_spec
+        <<: *agent_docker_fips_spec
+        <<: *docker_elastic_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+    - os: linux
+      arch: amd64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *agent_docker_fips_spec
+        # The cloud image is always based on Wolfi
+        <<: *docker_builder_spec
+        <<: *agent_docker_cloud_fips_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+    - os: linux
+      arch: arm64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *agent_docker_fips_spec
+        # The cloud image is always based on Wolfi
+        <<: *docker_builder_arm_spec
+        <<: *agent_docker_cloud_fips_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+    ######## End FIPS Specs ########
 
   # Elastic Beat with Elastic License and binary taken from the x-pack dir.
   elastic_beat_agent_demo_binaries:
@@ -1409,8 +1647,8 @@ specs:
       spec:
         <<: *common
         <<: *elastic_license_for_binaries
+        name: '{{.BeatName}}-core'
         version: '{{ beat_version }}'
-        qualifier: core
         files:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
@@ -1420,8 +1658,8 @@ specs:
       spec:
         <<: *common
         <<: *elastic_license_for_binaries
+        name: '{{.BeatName}}-core'
         version: '{{ beat_version }}'
-        qualifier: core
         files:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
@@ -1431,8 +1669,8 @@ specs:
       spec:
         <<: *common
         <<: *elastic_license_for_binaries
+        name: '{{.BeatName}}-core'
         version: '{{ beat_version }}'
-        qualifier: core
         files:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
@@ -1442,8 +1680,19 @@ specs:
       spec:
         <<: *common
         <<: *elastic_license_for_binaries
+        name: '{{.BeatName}}-core'
         version: '{{ beat_version }}'
-        qualifier: core
         files:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+    - os: linux
+      types: [tgz]
+      spec:
+        <<: *common_fips
+        <<: *elastic_license_for_binaries
+        name: '{{.BeatName}}-core-fips'
+        version: '{{ beat_version }}'
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
\ No newline at end of file
diff --git a/dev-tools/packaging/settings.go b/dev-tools/packaging/settings.go
index 606e8187dcf..c0ef6a96c81 100644
--- a/dev-tools/packaging/settings.go
+++ b/dev-tools/packaging/settings.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"slices"
 	"text/template"
 
 	"github.com/magefile/mage/mg"
@@ -43,10 +44,7 @@ var (
 			ext:      "zip",
 		},
 	}
-	// ExpectedBinaries  is a map of binaries agent needs to their project in the unified-release manager.
-	// The project names are those used in the "projects" list in the unified release manifest.
-	// See the sample manifests in the testdata directory.
-	ExpectedBinaries []BinarySpec
+	settings *packagesConfig
 )
 
 func init() {
@@ -56,7 +54,7 @@ func init() {
 		return
 	}
 
-	ExpectedBinaries = packageSettings.Components
+	settings = packageSettings
 }
 
 type platformAndExt struct {
@@ -67,7 +65,9 @@ type platformAndExt struct {
 type BinarySpec struct {
 	BinaryName   string                  `yaml:"binaryName"`
 	PackageName  string                  `yaml:"packageName"`
+	RootDir      string                  `yaml:"rootDir"`
 	ProjectName  string                  `yaml:"projectName"`
+	FIPS         bool                    `yaml:"fips"`
 	Platforms    []Platform              `yaml:"platforms"`
 	PythonWheel  bool                    `yaml:"pythonWheel"`
 	PackageTypes []pkgcommon.PackageType `yaml:"packageTypes"`
@@ -91,6 +91,9 @@ func (proj BinarySpec) SupportsPackageType(pkgType pkgcommon.PackageType) bool {
 	return false
 }
 
+// GetPackageName will return a rendered version of the BinarySpec.packageName attribute (which is a golang template),
+// using version and platform strings provided to create a template context containing 'Version', 'Platform' and 'Ext' values.
+// The string returned will contain the expected filename of the package file for the BinarySpec
 func (proj BinarySpec) GetPackageName(version string, platform string) string {
 	tmpl, err := template.New("package_name").Parse(proj.PackageName)
 	if err != nil {
@@ -110,6 +113,69 @@ func (proj BinarySpec) GetPackageName(version string, platform string) string {
 	return buf.String()
 }
 
+// GetRootDir will return a rendered version of the BinarySpec.rootDir attribute (which is a golang template), using
+// version and platform strings provided to create a template context containing 'Version', 'Platform' and 'Ext' values.
+// The string returned will contain the expected name of the root directory created when extracted the package file for
+// the BinarySpec
+func (proj BinarySpec) GetRootDir(version string, platform string) string {
+	if proj.RootDir == "" {
+		// shortcut to avoid rendering template when there's no RootDir specified
+		return ""
+	}
+	tmpl, err := template.New("inner_path").Parse(proj.RootDir)
+	if err != nil {
+		panic(fmt.Errorf("parsing innerPath template for project/binary %s/%s %q: %w", proj.ProjectName, proj.BinaryName, proj.RootDir, err))
+	}
+
+	// look for the platform strings, if not found an empty object is returned and empty values will be used for rendering
+	pltfStrings := PlatformPackages[platform]
+	tmplContext := map[string]string{"Version": version, "Platform": pltfStrings.platform, "Ext": pltfStrings.ext}
+
+	var buf bytes.Buffer
+	err = tmpl.Execute(&buf, tmplContext)
+	if err != nil {
+		panic(fmt.Errorf("rendering innerPath template for project/binary %s/%s %q with context %v: %w",
+			proj.ProjectName, proj.BinaryName, proj.PackageName, tmplContext, err))
+	}
+	return buf.String()
+}
+
+func (proj BinarySpec) Equal(other BinarySpec) bool {
+	if proj.BinaryName != other.BinaryName {
+		return false
+	}
+
+	if proj.PackageName != other.PackageName {
+		return false
+	}
+
+	if proj.RootDir != other.RootDir {
+		return false
+	}
+
+	if proj.ProjectName != other.ProjectName {
+		return false
+	}
+
+	if proj.FIPS != other.FIPS {
+		return false
+	}
+
+	if !slices.Equal(proj.Platforms, other.Platforms) {
+		return false
+	}
+
+	if proj.PythonWheel != other.PythonWheel {
+		return false
+	}
+
+	if !slices.Equal(proj.PackageTypes, other.PackageTypes) {
+		return false
+	}
+
+	return true
+}
+
 type Platform struct {
 	OS   string
 	Arch string
@@ -126,10 +192,24 @@ func (p Platform) Platform() string {
 	return p.OS + "/" + p.Arch
 }
 
+type FIPSConfig struct {
+	Compile struct {
+		CGO       bool              `yaml:"cgo"`
+		Env       map[string]string `yaml:"env"`
+		Tags      []string          `yaml:"tags"`
+		Platforms []Platform        `yaml:"platforms"`
+	} `yaml:"compile"`
+}
+
+type GlobalSettings struct {
+	FIPS FIPSConfig `yaml:"fips"`
+}
+
 type packagesConfig struct {
 	Platforms    []Platform              `yaml:"platforms"`
 	PackageTypes []pkgcommon.PackageType `yaml:"packageTypes"`
 	Components   []BinarySpec            `yaml:"components"`
+	Settings     GlobalSettings          `yaml:"settings"`
 }
 
 func parsePackageSettings(r io.Reader) (*packagesConfig, error) {
@@ -144,3 +224,47 @@ func parsePackageSettings(r io.Reader) (*packagesConfig, error) {
 	}
 	return packagesConf, nil
 }
+
+// Components returns a *copy* of all the binary specs loaded from packages.yml
+func Components() ([]BinarySpec, error) {
+	if settings == nil {
+		return nil, fmt.Errorf("package settings not loaded")
+	}
+	ret := make([]BinarySpec, len(settings.Components))
+	copy(ret, settings.Components)
+	return ret, nil
+}
+
+func Settings() GlobalSettings {
+	return settings.Settings
+}
+
+func FilterComponents(filters ...ComponentFilter) []BinarySpec {
+	ret := make([]BinarySpec, 0, len(settings.Components))
+
+COMPLOOP:
+	for _, c := range settings.Components {
+		for _, filter := range filters {
+			if !filter(c) {
+				// this filter doesn't match, move to the next component
+				continue COMPLOOP
+			}
+		}
+		ret = append(ret, c)
+	}
+	return ret
+}
+
+type ComponentFilter func(BinarySpec) bool
+
+func WithProjectName(projectName string) ComponentFilter {
+	return func(p BinarySpec) bool {
+		return p.ProjectName == projectName
+	}
+}
+
+func WithFIPS(fips bool) ComponentFilter {
+	return func(p BinarySpec) bool {
+		return p.FIPS == fips
+	}
+}
diff --git a/dev-tools/packaging/testing/package_test.go b/dev-tools/packaging/testing/package_test.go
index dec618f9a82..04162688794 100644
--- a/dev-tools/packaging/testing/package_test.go
+++ b/dev-tools/packaging/testing/package_test.go
@@ -25,7 +25,6 @@ import (
 	"io"
 	"maps"
 	"os"
-	"path"
 	"path/filepath"
 	"regexp"
 	"slices"
@@ -74,13 +73,14 @@ var (
 	monitorsd         = flag.Bool("monitors.d", false, "check monitors.d folder contents")
 	rootOwner         = flag.Bool("root-owner", false, "expect root to own package files")
 	rootUserContainer = flag.Bool("root-user-container", false, "expect root in container user")
-	fips              = flag.Bool("fips", false, "check agent binary for FIPS compliance")
 )
 
 func TestRPM(t *testing.T) {
 	rpms := getFiles(t, regexp.MustCompile(`\.rpm$`))
 	for _, rpm := range rpms {
-		checkRPM(t, rpm)
+		t.Run(filepath.Base(rpm), func(t *testing.T) {
+			checkRPM(t, rpm)
+		})
 	}
 }
 
@@ -88,30 +88,30 @@ func TestDeb(t *testing.T) {
 	debs := getFiles(t, regexp.MustCompile(`\.deb$`))
 	buf := new(bytes.Buffer)
 	for _, deb := range debs {
-		checkDeb(t, deb, buf)
+		t.Run(filepath.Base(deb), func(t *testing.T) {
+			checkDeb(t, deb, buf)
+		})
 	}
 }
 
 func TestTar(t *testing.T) {
 	// Regexp matches *-arch.tar.gz, but not *-arch.docker.tar.gz
-	tars := getFiles(t, regexp.MustCompile(`-\w+\.tar\.gz$`))
-	for _, tar := range tars {
-		checkTar(t, tar, false)
-	}
-}
+	tarFiles := getFiles(t, regexp.MustCompile(`-\w+\.tar\.gz$`))
+	for _, tarFile := range tarFiles {
+		t.Run(filepath.Base(tarFile), func(t *testing.T) {
+			fipsPackage := strings.Contains(tarFile, "-fips-")
+			checkTar(t, tarFile, fipsPackage)
+		})
 
-func TestFIPSTar(t *testing.T) {
-	// Regexp matches *-arch-fips.tar.gz, but not *-arch.docker.tar.gz
-	tars := getFiles(t, regexp.MustCompile(`-\w+-fips\.tar\.gz$`))
-	for _, tar := range tars {
-		checkTar(t, tar, *fips)
 	}
 }
 
 func TestZip(t *testing.T) {
 	zips := getFiles(t, regexp.MustCompile(`^\w+\S+.zip$`))
 	for _, zip := range zips {
-		checkZip(t, zip)
+		t.Run(filepath.Base(zip), func(t *testing.T) {
+			checkZip(t, zip)
+		})
 	}
 }
 
@@ -119,9 +119,12 @@ func TestDocker(t *testing.T) {
 	dockers := getFiles(t, regexp.MustCompile(`\.docker\.tar\.gz$`))
 	sizeMap := make(map[string]int64)
 	for _, docker := range dockers {
-		t.Log(docker)
-		k, s := checkDocker(t, docker)
-		sizeMap[k] = s
+		fipsPackage := strings.Contains(docker, "-fips-")
+		t.Run(filepath.Base(docker), func(t *testing.T) {
+			t.Log(docker)
+			k, s := checkDocker(t, docker, fipsPackage)
+			sizeMap[k] = s
+		})
 	}
 
 	if len(dockers) == 0 {
@@ -220,18 +223,20 @@ func checkTar(t *testing.T, file string, fipsCheck bool) {
 	checkModulesOwner(t, p, true)
 	checkLicensesPresent(t, "", p)
 
-	t.Run(p.Name+"_check_manifest_file", func(t *testing.T) {
-		tempExtractionPath := t.TempDir()
-		err = mage.Extract(file, tempExtractionPath)
-		require.NoError(t, err, "error extracting tar archive")
-		containingDir := strings.TrimSuffix(path.Base(file), ".tar.gz")
-		checkManifestFileContents(t, filepath.Join(tempExtractionPath, containingDir))
-		if fipsCheck {
-			checkFIPS(t, filepath.Join(tempExtractionPath, containingDir))
-		}
-	})
+	// extract archive in a temporary directory
+	tempExtractionPath := t.TempDir()
+	err = mage.Extract(file, tempExtractionPath)
+	require.NoErrorf(t, err, "error extracting archive %q", file)
+
+	t.Run("check_manifest_file", testManifestFile(tempExtractionPath, fipsCheck))
 
 	checkSha512PackageHash(t, file)
+
+	if fipsCheck {
+		t.Run("FIPS check", func(t *testing.T) {
+			checkFIPS(t, tempExtractionPath)
+		})
+	}
 }
 
 func checkZip(t *testing.T, file string) {
@@ -248,17 +253,26 @@ func checkZip(t *testing.T, file string) {
 	checkModulesPermissions(t, p)
 	checkLicensesPresent(t, "", p)
 
-	t.Run(p.Name+"_check_manifest_file", func(t *testing.T) {
-		tempExtractionPath := t.TempDir()
-		err = mage.Extract(file, tempExtractionPath)
-		require.NoError(t, err, "error extracting zip archive")
-		containingDir := strings.TrimSuffix(path.Base(file), ".zip")
-		checkManifestFileContents(t, filepath.Join(tempExtractionPath, containingDir))
-	})
+	// extract archive in a temporary directory
+	tempExtractionPath := t.TempDir()
+	err = mage.Extract(file, tempExtractionPath)
+	require.NoErrorf(t, err, "error extracting archive %q", file)
+
+	t.Run("check_manifest_file", testManifestFile(tempExtractionPath, false))
 
 	checkSha512PackageHash(t, file)
 }
 
+func testManifestFile(agentPackageRootDir string, checkFips bool) func(t *testing.T) {
+	return func(t *testing.T) {
+		dirEntries, err := os.ReadDir(agentPackageRootDir)
+		require.NoErrorf(t, err, "error listing extraction dir %q", agentPackageRootDir)
+		require.Lenf(t, dirEntries, 1, "archive should contain a single directory: found %v", dirEntries)
+		containingDir := dirEntries[0].Name()
+		checkManifestFileContents(t, filepath.Join(agentPackageRootDir, containingDir))
+	}
+}
+
 func checkManifestFileContents(t *testing.T, extractedPackageDir string) {
 	t.Log("Checking file manifest.yaml")
 	m := parseManifest(t, extractedPackageDir)
@@ -286,7 +300,7 @@ func checkManifestFileContents(t *testing.T, extractedPackageDir string) {
 func parseManifest(t *testing.T, dir string) v1.PackageManifest {
 	manifestReadCloser, err := os.Open(filepath.Join(dir, v1.ManifestFileName))
 	if err != nil {
-		t.Errorf("opening manifest %s : %v", v1.ManifestFileName, err)
+		t.Fatalf("opening manifest %s : %v", v1.ManifestFileName, err)
 	}
 	defer func(closer io.ReadCloser) {
 		err := closer.Close()
@@ -295,7 +309,7 @@ func parseManifest(t *testing.T, dir string) v1.PackageManifest {
 
 	m, err := v1.ParseManifest(manifestReadCloser)
 	if err != nil {
-		t.Errorf("unmarshaling package manifest: %v", err)
+		t.Fatalf("unmarshaling package manifest: %v", err)
 	}
 	return *m
 }
@@ -341,7 +355,7 @@ func checkNpcapNotices(pkg, file string, contents io.Reader) error {
 	return nil
 }
 
-func checkDocker(t *testing.T, file string) (string, int64) {
+func checkDocker(t *testing.T, file string, fipsPackage bool) (string, int64) {
 	if strings.Contains(file, "elastic-otel-collector") {
 		return checkEdotCollectorDocker(t, file)
 	}
@@ -356,7 +370,10 @@ func checkDocker(t *testing.T, file string) (string, int64) {
 	checkDockerLabels(t, p, info, file)
 	checkDockerUser(t, p, info, *rootUserContainer)
 	checkFilePermissions(t, p, configFilePattern, os.FileMode(0644))
-	checkFilePermissions(t, p, otelcolScriptPattern, os.FileMode(0755))
+	if !fipsPackage {
+		// FIPS docker image do not contain an otelcol script, run this check only on non FIPS compliant images
+		checkFilePermissions(t, p, otelcolScriptPattern, os.FileMode(0755))
+	}
 	checkManifestPermissionsWithMode(t, p, os.FileMode(0644))
 	checkModulesPresent(t, "", p)
 	checkModulesDPresent(t, "", p)
@@ -423,7 +440,7 @@ func checkConfigPermissions(t *testing.T, p *packageFile) {
 }
 
 func checkFilePermissions(t *testing.T, p *packageFile, configPattern *regexp.Regexp, expectedMode os.FileMode) {
-	t.Run(p.Name+" file permissions", func(t *testing.T) {
+	t.Run("file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if configPattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -452,7 +469,7 @@ func checkOwner(t *testing.T, entry packageEntry, expectRoot bool) {
 }
 
 func checkConfigOwner(t *testing.T, p *packageFile, expectRoot bool) {
-	t.Run(p.Name+" config file owner", func(t *testing.T) {
+	t.Run("config file owner", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if configFilePattern.MatchString(entry.File) {
 				checkOwner(t, entry, expectRoot)
@@ -469,7 +486,7 @@ func checkManifestPermissions(t *testing.T, p *packageFile) {
 }
 
 func checkManifestPermissionsWithMode(t *testing.T, p *packageFile, expectedMode os.FileMode) {
-	t.Run(p.Name+" manifest file permissions", func(t *testing.T) {
+	t.Run("manifest file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if manifestFilePattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -484,7 +501,7 @@ func checkManifestPermissionsWithMode(t *testing.T, p *packageFile, expectedMode
 
 // Verify that the manifest owner is correct.
 func checkManifestOwner(t *testing.T, p *packageFile, expectRoot bool) {
-	t.Run(p.Name+" manifest file owner", func(t *testing.T) {
+	t.Run("manifest file owner", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if manifestFilePattern.MatchString(entry.File) {
 				checkOwner(t, entry, expectRoot)
@@ -495,7 +512,7 @@ func checkManifestOwner(t *testing.T, p *packageFile, expectRoot bool) {
 
 // Verify the permissions of the modules.d dir and its contents.
 func checkModulesPermissions(t *testing.T, p *packageFile) {
-	t.Run(p.Name+" modules.d file permissions", func(t *testing.T) {
+	t.Run("modules.d file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if modulesDFilePattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -516,7 +533,7 @@ func checkModulesPermissions(t *testing.T, p *packageFile) {
 
 // Verify the owner of the modules.d dir and its contents.
 func checkModulesOwner(t *testing.T, p *packageFile, expectRoot bool) {
-	t.Run(p.Name+" modules.d file owner", func(t *testing.T) {
+	t.Run("modules.d file owner", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if modulesDFilePattern.MatchString(entry.File) || modulesDDirPattern.MatchString(entry.File) {
 				checkOwner(t, entry, expectRoot)
@@ -529,7 +546,7 @@ func checkModulesOwner(t *testing.T, p *packageFile, expectRoot bool) {
 // executable.
 func checkSystemdUnitPermissions(t *testing.T, p *packageFile) {
 	const expectedMode = os.FileMode(0644)
-	t.Run(p.Name+" systemd unit file permissions", func(t *testing.T) {
+	t.Run("systemd unit file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if systemdUnitFilePattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -565,7 +582,7 @@ func checkMonitorsDPresent(t *testing.T, prefix string, p *packageFile) {
 }
 
 func checkHintsInputsD(t *testing.T, name string, r *regexp.Regexp, p *packageFile) {
-	t.Run(fmt.Sprintf("%s %s contents", p.Name, name), func(t *testing.T) {
+	t.Run(fmt.Sprintf("%s contents", name), func(t *testing.T) {
 		total := 0
 		for _, entry := range p.Contents {
 			if r.MatchString(entry.File) {
@@ -632,7 +649,7 @@ func checkLicensesPresent(t *testing.T, prefix string, p *packageFile) {
 func checkDockerEntryPoint(t *testing.T, p *packageFile, info *dockerInfo) {
 	expectedMode := os.FileMode(0755)
 
-	t.Run(fmt.Sprintf("%s entrypoint", p.Name), func(t *testing.T) {
+	t.Run("entrypoint", func(t *testing.T) {
 		if len(info.Config.Entrypoint) == 0 {
 			t.Fatal("no entrypoint")
 		}
@@ -659,7 +676,7 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri
 		return
 	}
 
-	t.Run(fmt.Sprintf("%s license labels", p.Name), func(t *testing.T) {
+	t.Run("license labels", func(t *testing.T) {
 		expectedLicense := "Elastic License"
 		ossPrefix := strings.Join([]string{
 			info.Config.Labels["org.label-schema.name"],
@@ -680,7 +697,7 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri
 		}
 	})
 
-	t.Run(fmt.Sprintf("%s required labels", p.Name), func(t *testing.T) {
+	t.Run("required labels", func(t *testing.T) {
 		// From https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/program-on-boarding/technical-prerequisites
 		requiredLabels := []string{"name", "vendor", "version", "release", "summary", "description"}
 		for _, label := range requiredLabels {
@@ -692,60 +709,85 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri
 }
 
 func checkDockerUser(t *testing.T, p *packageFile, info *dockerInfo, expectRoot bool) {
-	t.Run(fmt.Sprintf("%s user", p.Name), func(t *testing.T) {
+	t.Run("user", func(t *testing.T) {
 		if expectRoot != (info.Config.User == rootUser) {
 			t.Errorf("unexpected docker user: %s", info.Config.User)
 		}
 	})
 }
 
-func checkFIPS(t *testing.T, extractedPackageDir string) {
+func checkFIPS(t *testing.T, agentPackageRootDir string) {
+	dirEntries, err := os.ReadDir(agentPackageRootDir)
+	require.NoErrorf(t, err, "error listing extraction dir %q", agentPackageRootDir)
+	require.Lenf(t, dirEntries, 1, "archive should contain a single directory: found %v", dirEntries)
+
+	extractedPackageDir := filepath.Join(agentPackageRootDir, dirEntries[0].Name())
 	t.Logf("Checking agent binary in %q for FIPS compliance", extractedPackageDir)
 	m := parseManifest(t, extractedPackageDir)
 	versionedHome := m.Package.VersionedHome
-	require.DirExistsf(t, filepath.Join(extractedPackageDir, versionedHome), " versiondedHome directory %q not found in %q", versionedHome, extractedPackageDir)
+	versionedHomePath := filepath.Join(extractedPackageDir, versionedHome)
+	require.DirExistsf(t, versionedHomePath, " versiondedHome directory %q not found in %q", versionedHome, extractedPackageDir)
 	binaryPath := filepath.Join(extractedPackageDir, versionedHome, "elastic-agent") // TODO eventually we will need to support .exe as well
 	require.FileExistsf(t, binaryPath, "Unable to find elastic-agent executable in versioned home in %q", extractedPackageDir)
 
-	info, err := buildinfo.ReadFile(binaryPath)
+	binaries := []string{binaryPath}
+	componentsDir := filepath.Join(versionedHomePath, "components")
+	entries, err := filepath.Glob(filepath.Join(componentsDir, "*.spec.yml"))
 	require.NoError(t, err)
+	for _, dirEntry := range entries {
+		componentBinary := strings.TrimSuffix(dirEntry, ".spec.yml")
+		binaries = append(binaries, componentBinary)
+	}
+
+	for _, binary := range binaries {
+		binaryRelPath, err := filepath.Rel(agentPackageRootDir, binary)
+		require.NoError(t, err)
+		t.Run(binaryRelPath, func(t *testing.T) {
+			fileInfo, err := os.Stat(binary)
+			require.NoErrorf(t, err, "error collecting info on component %s", binary)
+			require.Truef(t, fileInfo.Mode().IsRegular() && (fileInfo.Mode().Perm()&0111 > 0), "component %s exists and has a spec file but it's not an executable regular file", binary)
+
+			info, err := buildinfo.ReadFile(binary)
+			require.NoError(t, err)
+
+			foundTags := false
+			foundExperiment := false
+			for _, setting := range info.Settings {
+				switch setting.Key {
+				case "-tags":
+					foundTags = true
+					require.Contains(t, setting.Value, "requirefips")
+					continue
+				case "GOEXPERIMENT":
+					foundExperiment = true
+					require.Contains(t, setting.Value, "systemcrypto")
+					continue
+				}
+			}
 
-	foundTags := false
-	foundExperiment := false
-	for _, setting := range info.Settings {
-		switch setting.Key {
-		case "-tags":
-			foundTags = true
-			require.Contains(t, setting.Value, "requirefips")
-			continue
-		case "GOEXPERIMENT":
-			foundExperiment = true
-			require.Contains(t, setting.Value, "systemcrypto")
-			continue
-		}
-	}
-
-	require.True(t, foundTags, "Did not find -tags within binary version information")
-	require.True(t, foundExperiment, "Did not find GOEXPERIMENT within binary version information")
+			require.True(t, foundTags, "Did not find -tags within binary version information")
+			require.True(t, foundExperiment, "Did not find GOEXPERIMENT within binary version information")
 
-	// TODO only elf is supported at the moment, in the future we will need to use macho (darwin) and pe (windows)
-	f, err := elf.Open(binaryPath)
-	require.NoError(t, err, "unable to open ELF file")
+			// TODO only elf is supported at the moment, in the future we will need to use macho (darwin) and pe (windows)
+			f, err := elf.Open(binary)
+			require.NoError(t, err, "unable to open ELF file")
 
-	symbols, err := f.Symbols()
-	if err != nil {
-		t.Logf("no symbols present in %q: %v", binaryPath, err)
-		return
-	}
+			symbols, err := f.Symbols()
+			if err != nil {
+				t.Logf("no symbols present in %q: %v", binary, err)
+				return
+			}
 
-	hasOpenSSL := false
-	for _, symbol := range symbols {
-		if strings.Contains(symbol.Name, "OpenSSL_version") {
-			hasOpenSSL = true
-			break
-		}
+			hasOpenSSL := false
+			for _, symbol := range symbols {
+				if strings.Contains(symbol.Name, "OpenSSL_version") {
+					hasOpenSSL = true
+					break
+				}
+			}
+			require.True(t, hasOpenSSL, "unable to find OpenSSL_version symbol")
+		})
 	}
-	require.True(t, hasOpenSSL, "unable to find OpenSSL_version symbol")
 }
 
 // ensureNoBuildIDLinks checks for regressions related to
diff --git a/magefile.go b/magefile.go
index 732e4f85f44..6e086c05f95 100644
--- a/magefile.go
+++ b/magefile.go
@@ -97,8 +97,9 @@ const (
 
 	cloudImageTmpl = "docker.elastic.co/observability-ci/elastic-agent:%s"
 
-	baseURLForStagingDRA = "https://staging.elastic.co/"
-	agentCoreProjectName = "elastic-agent-core"
+	baseURLForSnapshotDRA = "https://snapshots.elastic.co/"
+	baseURLForStagingDRA  = "https://staging.elastic.co/"
+	agentCoreProjectName  = "elastic-agent-core"
 
 	helmChartPath      = "./deploy/helm/elastic-agent"
 	helmOtelChartPath  = "./deploy/helm/edot-collector/kube-stack"
@@ -571,6 +572,9 @@ func Package(ctx context.Context) error {
 		dependenciesVersion = beatVersion
 	}
 
+	// add the snapshot suffix if needed
+	dependenciesVersion += devtools.SnapshotSuffix()
+
 	packageAgent(ctx, platforms, dependenciesVersion, manifestResponse, mg.F(devtools.UseElasticAgentPackaging), mg.F(CrossBuild), devtools.SelectedPackageTypes)
 	return nil
 }
@@ -596,7 +600,16 @@ func DownloadManifest(ctx context.Context) error {
 		return errAtLeastOnePlatform
 	}
 
-	if e := manifest.DownloadComponents(ctx, devtools.ManifestURL, platforms, dropPath); e != nil {
+	// Enforce that we use the correct elastic-agent packaging, to correctly load component dependencies
+	// Use mg.Deps() to ensure that the function will be called only once per mage invocation.
+	// devtools.Use*Packaging functions are not idempotent as they append in devtools.Packages
+	mg.Deps(devtools.UseElasticAgentPackaging)
+	dependencies, err := ExtractComponentsFromSelectedPkgSpecs(devtools.Packages)
+	if err != nil {
+		return fmt.Errorf("failed extracting dependencies: %w", err)
+	}
+
+	if e := manifest.DownloadComponents(ctx, dependencies, devtools.ManifestURL, platforms, dropPath); e != nil {
 		return fmt.Errorf("failed to download the manifest file, %w", e)
 	}
 	log.Printf(">> Completed downloading packages from manifest into drop-in %s", dropPath)
@@ -604,6 +617,83 @@ func DownloadManifest(ctx context.Context) error {
 	return nil
 }
 
+func ExtractComponentsFromSelectedPkgSpecs(pkgSpecs []devtools.OSPackageArgs) ([]packaging.BinarySpec, error) {
+	// Extract the dependencies from the selected packages
+	mappedDependencies := map[string]packaging.BinarySpec{}
+	for _, pkg := range pkgSpecs {
+		if isSelected(pkg) {
+			if mg.Verbose() {
+				log.Printf("package %s is selected, collecting dependencies", pkg.Spec.Name)
+			}
+
+			for _, component := range pkg.Spec.Components {
+
+				if existingComp, ok := mappedDependencies[component.PackageName]; ok {
+					// sanity check: verify that for the same packageName we have the same component spec
+					if !existingComp.Equal(component) {
+						return nil, fmt.Errorf("found component %+v and %+v sharing the same package name %q but they are not equal",
+							existingComp, component, component.PackageName)
+					}
+				} else {
+					mappedDependencies[component.PackageName] = component
+					if mg.Verbose() {
+						log.Printf("Added component %s to the list of component to download from manifest", component.PackageName)
+					}
+				}
+			}
+		}
+	}
+
+	// collect the dependencies into a slice
+	dependencies := make([]packaging.BinarySpec, 0, len(mappedDependencies))
+	for _, pkg := range mappedDependencies {
+		dependencies = append(dependencies, pkg)
+	}
+
+	return dependencies, nil
+}
+
+func isSelected(pkg devtools.OSPackageArgs) bool {
+
+	// Checks if this package is compatible with the FIPS settings
+	if pkg.Spec.FIPS != devtools.FIPSBuild {
+		log.Printf("Skipping %s/%s package type because FIPS flag doesn't match [pkg=%v, build=%v]", pkg.Spec.Name, pkg.OS, pkg.Spec.FIPS, devtools.FIPSBuild)
+		return false
+	}
+
+	platforms := devtools.Platforms
+	for _, platform := range platforms {
+		if !isPackageSelectedForPlatform(pkg, platform) {
+			continue
+		}
+
+		pkgTypesSelected := 0
+		for _, pkgType := range pkg.Types {
+			if !devtools.IsPackageTypeSelected(pkgType) {
+				log.Printf("Skipping %s package type because it is not selected", pkgType)
+				continue
+			}
+
+			if pkgType == devtools.Docker && !devtools.IsDockerVariantSelected(pkg.Spec.DockerVariant) {
+				log.Printf("Skipping %s docker variant type because it is not selected", pkg.Spec.DockerVariant)
+				continue
+			}
+			pkgTypesSelected++
+		}
+		// if we found at least one package type for one platform the package spec is selected
+		return pkgTypesSelected > 0
+	}
+	return true
+}
+
+func isPackageSelectedForPlatform(pkg devtools.OSPackageArgs, platform devtools.BuildPlatform) bool {
+	if pkg.OS == platform.GOOS() && (pkg.Arch == "" || pkg.Arch == platform.Arch()) {
+		return true
+	}
+
+	return false
+}
+
 // FixDRADockerArtifacts is a workaround for the DRA artifacts produced by the package target. We had to do
 // because the initial unified release manager DSL code required specific names that the package does not produce,
 // we wanted to keep backwards compatibility with the artifacts of the unified release and the DRA.
@@ -1043,8 +1133,20 @@ func packageAgent(ctx context.Context, platforms []string, dependenciesVersion s
 		log.Printf("--- Packaging dependenciesVersion[%s], %+v \n", dependenciesVersion, platforms)
 	}
 
+	log.Println("--- Running packaging function")
+	mg.Deps(agentPackaging)
+
+	dependencies, err := ExtractComponentsFromSelectedPkgSpecs(devtools.Packages)
+	if err != nil {
+		return fmt.Errorf("failed extracting dependencies: %w", err)
+	}
+
+	if mg.Verbose() {
+		log.Printf("dependencies extracted from package specs: %v", dependencies)
+	}
+
 	// download/copy all the necessary dependencies for packaging elastic-agent
-	archivePath, dropPath := collectPackageDependencies(platforms, dependenciesVersion, packageTypes)
+	archivePath, dropPath := collectPackageDependencies(platforms, dependenciesVersion, packageTypes, dependencies)
 
 	// cleanup after build
 	defer os.RemoveAll(archivePath)
@@ -1060,12 +1162,9 @@ func packageAgent(ctx context.Context, platforms []string, dependenciesVersion s
 	defer os.RemoveAll(flatPath)
 
 	// extract all dependencies from their archives into flat dir
-	flattenDependencies(platforms, dependenciesVersion, archivePath, dropPath, flatPath, manifestResponse)
+	flattenDependencies(platforms, dependenciesVersion, archivePath, dropPath, flatPath, manifestResponse, dependencies)
 
 	// package agent
-	log.Println("--- Running packaging function")
-	mg.Deps(agentPackaging)
-
 	log.Println("--- Running post packaging ")
 	mg.Deps(Update)
 	mg.Deps(agentBinaryTarget, CrossBuildGoDaemon)
@@ -1084,7 +1183,7 @@ func packageAgent(ctx context.Context, platforms []string, dependenciesVersion s
 // NOTE: after the build is done the caller must:
 // - delete archivePath and dropPath contents
 // - unset AGENT_DROP_PATH environment variable
-func collectPackageDependencies(platforms []string, packageVersion string, packageTypes []mage.PackageType) (archivePath string, dropPath string) {
+func collectPackageDependencies(platforms []string, packageVersion string, packageTypes []devtools.PackageType, dependencies []packaging.BinarySpec) (archivePath, dropPath string) {
 	dropPath, found := os.LookupEnv(agentDropPath)
 
 	// try not to shadow too many variables
@@ -1096,17 +1195,13 @@ func collectPackageDependencies(platforms []string, packageVersion string, packa
 		dropPath = filepath.Join("build", "distributions", "elastic-agent-drop")
 		dropPath, err = filepath.Abs(dropPath)
 		if err != nil {
-			panic(err)
+			panic(fmt.Errorf("obtaining absolute path for default drop path: %w", err))
 		}
 
 		if mg.Verbose() {
 			log.Printf(">> Creating drop-in folder %+v \n", dropPath)
 		}
-		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion)
-
-		if hasSnapshotEnv() {
-			packageVersion = fmt.Sprintf("%s-SNAPSHOT", packageVersion)
-		}
+		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion, dependencies)
 
 		os.Setenv(agentDropPath, dropPath)
 
@@ -1127,7 +1222,8 @@ func collectPackageDependencies(platforms []string, packageVersion string, packa
 
 			errGroup, ctx := errgroup.WithContext(context.Background())
 			completedDownloads := &atomic.Int32{}
-			for _, spec := range packaging.ExpectedBinaries {
+
+			for _, spec := range dependencies {
 				for _, platform := range platforms {
 
 					if !spec.SupportsPlatform(platform) {
@@ -1181,7 +1277,11 @@ func collectPackageDependencies(platforms []string, packageVersion string, packa
 					cmd.Dir = pwd
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
-					cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on")
+					cmd.Env = append(os.Environ(),
+						fmt.Sprintf("PWD=%s", pwd),
+						"AGENT_PACKAGING=on",
+						fmt.Sprintf("FIPS=%v", devtools.FIPSBuild),
+					)
 					if envVar := selectedPackageTypes(); envVar != "" {
 						cmd.Env = append(cmd.Env, envVar)
 					}
@@ -1227,18 +1327,18 @@ func collectPackageDependencies(platforms []string, packageVersion string, packa
 			}
 		}
 	} else {
-		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion)
+		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion, nil)
 	}
 	return archivePath, dropPath
 }
 
-func removePythonWheels(matches []string, version string) []string {
+func removePythonWheels(matches []string, version string, dependencies []packaging.BinarySpec) []string {
 	if hasSnapshotEnv() {
 		version = fmt.Sprintf("%s-SNAPSHOT", version)
 	}
 
 	var wheels []string
-	for _, spec := range packaging.ExpectedBinaries {
+	for _, spec := range dependencies {
 		if spec.PythonWheel {
 			wheels = append(wheels, spec.GetPackageName(version, ""))
 		}
@@ -1255,7 +1355,7 @@ func removePythonWheels(matches []string, version string) []string {
 
 // flattenDependencies will extract all the required packages collected in archivePath and dropPath in flatPath and
 // regenerate checksums
-func flattenDependencies(platforms []string, dependenciesVersion, archivePath, dropPath, flatPath string, manifestResponse *manifest.Build) {
+func flattenDependencies(platforms []string, dependenciesVersion, archivePath, dropPath, flatPath string, manifestResponse *manifest.Build, dependencies []packaging.BinarySpec) {
 
 	for _, pltf := range platforms {
 
@@ -1285,7 +1385,7 @@ func flattenDependencies(platforms []string, dependenciesVersion, archivePath, d
 
 		// never flatten any python wheels, the packages.yml and docker should handle
 		// those specifically so that the python wheels are installed into the container
-		matches = removePythonWheels(matches, dependenciesVersion)
+		matches = removePythonWheels(matches, dependenciesVersion, dependencies)
 
 		if mg.Verbose() {
 			log.Printf("--- Extracting into the flat dir: %v", matches)
@@ -1315,9 +1415,9 @@ func flattenDependencies(platforms []string, dependenciesVersion, archivePath, d
 		checksums := make(map[string]string)
 		// Operate on the files depending on if we're packaging from a manifest or not
 		if manifestResponse != nil {
-			checksums = devtools.ChecksumsWithManifest(pltf, dependenciesVersion, versionedFlatPath, versionedDropPath, manifestResponse)
+			checksums = devtools.ChecksumsWithManifest(pltf, dependenciesVersion, versionedFlatPath, versionedDropPath, manifestResponse, dependencies)
 		} else {
-			checksums = devtools.ChecksumsWithoutManifest(versionedFlatPath, versionedDropPath, dependenciesVersion)
+			checksums = devtools.ChecksumsWithoutManifest(pltf, dependenciesVersion, versionedFlatPath, versionedDropPath, dependencies)
 		}
 
 		if err := appendComponentChecksums(versionedDropPath, checksums); err != nil {
@@ -1338,7 +1438,25 @@ type branchInfo struct {
 // FetchLatestAgentCoreStagingDRA is a mage target that will retrieve the elastic-agent-core DRA artifacts and
 // place them under build/dra/buildID. It accepts one argument that has to be a release branch present in staging DRA
 func FetchLatestAgentCoreStagingDRA(ctx context.Context, branch string) error {
-	branchInfo, err := findLatestBuildForBranch(ctx, baseURLForStagingDRA, branch)
+
+	elasticAgentCoreComponents := packaging.FilterComponents(packaging.WithProjectName(agentCoreProjectName), packaging.WithFIPS(devtools.FIPSBuild))
+
+	if len(elasticAgentCoreComponents) != 1 {
+		return fmt.Errorf(
+			"found an unexpected number of elastic-agent-core components (should be 1) [projectName: %q, fips: %v]: %v",
+			agentCoreProjectName,
+			devtools.FIPSBuild,
+			elasticAgentCoreComponents,
+		)
+	}
+
+	elasticAgentCoreComponent := elasticAgentCoreComponents[0]
+
+	branchInformation, err := findLatestBuildForBranch(ctx, baseURLForSnapshotDRA, branch)
+
+	if err != nil {
+		return fmt.Errorf("getting latest build for branch %q: %v", err)
+	}
 
 	// Create a dir with the buildID at <root>/build/dra/<buildID>
 	repositoryRoot, err := findRepositoryRoot()
@@ -1351,14 +1469,19 @@ func FetchLatestAgentCoreStagingDRA(ctx context.Context, branch string) error {
 		return fmt.Errorf("creating %q directory: %w", err)
 	}
 
-	artifacts, err := downloadDRAArtifacts(ctx, branchInfo.ManifestURL, draDownloadDir, agentCoreProjectName)
+	build, err := manifest.DownloadManifest(ctx, branchInformation.ManifestURL)
 	if err != nil {
-		return fmt.Errorf("downloading DRA artifacts from %q: %w", branchInfo.ManifestURL, err)
+		return fmt.Errorf("downloading manifest from %q: %w", branchInformation.ManifestURL, err)
+	}
+
+	artifacts, err := downloadDRAArtifacts(ctx, &build, build.Version, draDownloadDir, elasticAgentCoreComponent)
+	if err != nil {
+		return fmt.Errorf("downloading DRA artifacts from %q: %w", branchInformation.ManifestURL, err)
 	}
 
 	fmt.Println("Downloaded agent core DRAs:")
 	for k := range artifacts {
-		fmt.Println(k)
+		fmt.Println(filepath.Join(draDownloadDir, k))
 	}
 	return nil
 }
@@ -1392,7 +1515,7 @@ func PackageUsingDRA(ctx context.Context) error {
 		return fmt.Errorf("setting agent commit hash %q: %w", agentCoreProject.CommitHash, err)
 	}
 
-	return packageAgent(ctx, platforms, parsedVersion.VersionWithPrerelease(), manifestResponse, mg.F(devtools.UseElasticAgentPackaging), mg.F(useDRAAgentBinaryForPackage, devtools.ManifestURL), devtools.SelectedPackageTypes)
+	return packageAgent(ctx, platforms, parsedVersion.VersionWithPrerelease(), manifestResponse, mg.F(devtools.UseElasticAgentPackaging), mg.F(useDRAAgentBinaryForPackage, devtools.ManifestURL, parsedVersion.VersionWithPrerelease()), devtools.SelectedPackageTypes)
 }
 
 func downloadManifestAndSetVersion(ctx context.Context, url string) (*manifest.Build, *version.ParsedSemVer, error) {
@@ -1477,42 +1600,9 @@ func mapManifestPlatformToAgentPlatform(manifestPltf string) (string, bool) {
 	return mappedPltf, found
 }
 
-func filterPackagesByPlatform(pkgs map[string]manifest.Package) map[string]manifest.Package {
-	if mg.Verbose() {
-		log.Printf("unfiltered packages: %v", pkgs)
-	}
-	platforms := devtools.Platforms.Names()
-	filteredPackages := map[string]manifest.Package{}
-	for pkgName, pkgDesc := range pkgs {
-		if mg.Verbose() {
-			log.Printf("checking if %s:%v should be included", pkgName, pkgDesc)
-		}
-		for _, pkgOS := range pkgDesc.Os {
-			platformString, _ := mapManifestPlatformToAgentPlatform(fmt.Sprintf("%s/%s", pkgOS, pkgDesc.Architecture))
-			if slices.Contains(platforms, platformString) {
-				if mg.Verbose() {
-					log.Printf("platforms include %s", platformString)
-				}
-				filteredPackages[pkgName] = pkgDesc
-				break
-			}
-		}
-	}
-	if mg.Verbose() {
-		log.Printf("filtered packages: %v", filteredPackages)
-	}
-	return filteredPackages
-}
+func downloadDRAArtifacts(ctx context.Context, build *manifest.Build, version string, draDownloadDir string, components ...packaging.BinarySpec) (map[string]manifest.Package, error) {
 
-func downloadDRAArtifacts(ctx context.Context, manifestUrl string, downloadDir string, projects ...string) (map[string]manifest.Package, error) {
-	build, err := manifest.DownloadManifest(ctx, manifestUrl)
-	if err != nil {
-		return nil, fmt.Errorf("downloading manifest from %q: %w", manifestUrl, err)
-	}
-
-	// Create a dir with the buildID at <downloadDir>/<buildID>
-	draDownloadDir := filepath.Join(downloadDir, build.BuildID)
-	err = os.MkdirAll(draDownloadDir, 0o770)
+	err := os.MkdirAll(draDownloadDir, 0o770)
 	if err != nil {
 		return nil, fmt.Errorf("creating %q directory: %w", draDownloadDir, err)
 	}
@@ -1522,60 +1612,93 @@ func downloadDRAArtifacts(ctx context.Context, manifestUrl string, downloadDir s
 	downloadedArtifacts := map[string]manifest.Package{}
 	errGrp, errCtx := errgroup.WithContext(ctx)
 
-	for _, projectName := range projects {
-		project, ok := build.Projects[projectName]
-		if !ok {
-			return nil, fmt.Errorf("project %q not found in manifest at %q", projectName, manifestUrl)
-		}
+	var downloaders []func() error
 
-		if mg.Verbose() {
-			log.Printf("build %q project %s packages: %+v", build.BuildID, projectName, project)
-		}
-		// filter down the packages to the platforms we are building/support
-		filteredPackages := filterPackagesByPlatform(project.Packages)
-		if mg.Verbose() {
-			log.Printf("packages to download: %v", filteredPackages)
-		}
-		for pkgName, pkgDesc := range filteredPackages {
-			downloadFunc := func(pkgName string, pkgDesc manifest.Package) func() error {
-				return func() error {
-					artifactDownloadPath := filepath.Join(draDownloadDir, pkgName)
-					err := manifest.DownloadPackage(errCtx, pkgDesc.URL, artifactDownloadPath)
-					if err != nil {
-						return fmt.Errorf("downloading %q: %w", pkgName, err)
-					}
+	for _, comp := range components {
+		for _, platform := range devtools.Platforms.Names() {
 
-					// download the SHA to check integrity
-					artifactSHADownloadPath := filepath.Join(draDownloadDir, pkgName+sha512FileExt)
-					err = manifest.DownloadPackage(errCtx, pkgDesc.ShaURL, artifactSHADownloadPath)
-					if err != nil {
-						return fmt.Errorf("downloading SHA for %q: %w", pkgName, err)
-					}
+			if !comp.SupportsPlatform(platform) {
+				if mg.Verbose() {
+					log.Printf("skipping download of %s/%s for platform %s as it's not supported", comp.ProjectName, comp.BinaryName, platform)
+				}
+				continue
+			}
 
-					err = download.VerifyChecksum(sha512.New(), artifactDownloadPath, artifactSHADownloadPath)
-					if err != nil {
-						return fmt.Errorf("validating checksum for %q: %w", pkgName, err)
-					}
+			project, ok := build.Projects[comp.ProjectName]
+			if !ok {
+				return nil, fmt.Errorf("project %q not found in manifest", comp.ProjectName)
+			}
 
-					// we should probably validate the signature, it can be done later as we return the package metadata
-					// see https://github.com/elastic/elastic-agent/issues/4445
+			if mg.Verbose() {
+				log.Printf("build %q project %s packages: %+v", build.BuildID, comp.ProjectName, project)
+			}
 
-					mx.Lock()
-					defer mx.Unlock()
-					downloadedArtifacts[artifactDownloadPath] = pkgDesc
+			packageName := comp.GetPackageName(version, platform)
 
-					return nil
-				}
-			}(pkgName, pkgDesc)
+			if packageSpec, ok := project.Packages[packageName]; ok {
+				downloadFunc := func(pkgName string, pkgDesc manifest.Package) func() error {
+					return func() error {
+						artifactDownloadPath := filepath.Join(draDownloadDir, pkgName)
+						err := manifest.DownloadPackage(errCtx, pkgDesc.URL, artifactDownloadPath)
+						if err != nil {
+							return fmt.Errorf("downloading %q: %w", pkgName, err)
+						}
+
+						// download the SHA to check integrity
+						artifactSHADownloadPath := filepath.Join(draDownloadDir, pkgName+sha512FileExt)
+						err = manifest.DownloadPackage(errCtx, pkgDesc.ShaURL, artifactSHADownloadPath)
+						if err != nil {
+							return fmt.Errorf("downloading SHA for %q: %w", pkgName, err)
+						}
+
+						err = download.VerifyChecksum(sha512.New(), artifactDownloadPath, artifactSHADownloadPath)
+						if err != nil {
+							return fmt.Errorf("validating checksum for %q: %w", pkgName, err)
+						}
+
+						// we should probably validate the signature, it can be done later as we return the package metadata
+						// see https://github.com/elastic/elastic-agent/issues/4445
+
+						mx.Lock()
+						defer mx.Unlock()
+						downloadedArtifacts[pkgName] = pkgDesc
+
+						return nil
+					}
+				}(packageName, packageSpec)
+				downloaders = append(downloaders, downloadFunc)
+			} else {
+				return nil, fmt.Errorf("package %q not found in project %q", packageName, comp.ProjectName)
+			}
 
-			errGrp.Go(downloadFunc)
 		}
 	}
 
+	for _, downloader := range downloaders {
+		errGrp.Go(downloader)
+	}
+
 	return downloadedArtifacts, errGrp.Wait()
 }
 
-func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error {
+func useDRAAgentBinaryForPackage(ctx context.Context, manifestURL string, version string) error {
+
+	elasticAgentCoreComponents := packaging.FilterComponents(packaging.WithProjectName(agentCoreProjectName), packaging.WithFIPS(devtools.FIPSBuild))
+
+	if len(elasticAgentCoreComponents) != 1 {
+		return fmt.Errorf(
+			"found an unexpected number of elastic-agent-core components (should be 1) [projectName: %q, fips: %v]: %v",
+			agentCoreProjectName,
+			devtools.FIPSBuild,
+			elasticAgentCoreComponents,
+		)
+	}
+
+	elasticAgentCoreComponent := elasticAgentCoreComponents[0]
+	if mg.Verbose() {
+		log.Printf("found elastic-agent-core component used: %v", elasticAgentCoreComponent)
+	}
+
 	repositoryRoot, err := findRepositoryRoot()
 	if err != nil {
 		return fmt.Errorf("looking up for repository root: %w", err)
@@ -1583,8 +1706,16 @@ func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error
 
 	downloadDir := filepath.Join(repositoryRoot, "build", "dra")
 
+	manifestResponse, err := manifest.DownloadManifest(ctx, manifestURL)
+	if err != nil {
+		return fmt.Errorf("downloading manifest from %s: %w", manifestURL, err)
+	}
+
 	// fetch the agent-core DRA artifacts for the current branch
-	artifacts, err := downloadDRAArtifacts(ctx, manifestUrl, downloadDir, agentCoreProjectName)
+
+	// Create a dir with the buildID at <downloadDir>/<buildID>
+	draDownloadDir := filepath.Join(downloadDir, manifestResponse.BuildID)
+	artifacts, err := downloadDRAArtifacts(ctx, &manifestResponse, version, draDownloadDir, elasticAgentCoreComponent)
 	if err != nil {
 		return fmt.Errorf("downloading elastic-agent-core artifacts: %w", err)
 	}
@@ -1592,39 +1723,43 @@ func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error
 	mg.Deps(EnsureCrossBuildOutputDir)
 
 	// place the artifacts where the package.yml expects them (in build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}})
-	for artifactFile, artifactMeta := range artifacts {
+	for _, platform := range devtools.Platforms.Names() {
+		if !elasticAgentCoreComponent.SupportsPlatform(platform) {
+			continue
+		}
+
+		expectedPackageName := elasticAgentCoreComponent.GetPackageName(version, platform)
+
+		artifactMetadata, ok := artifacts[expectedPackageName]
+
+		if !ok {
+			return fmt.Errorf("elastic-agent-core package %q has not been downloaded for platform %s", expectedPackageName, platform)
+		}
+
 		// uncompress the archive first
 		const extractionSubdir = "extracted"
-		extractDir := filepath.Join(filepath.Dir(artifactFile), extractionSubdir)
+		extractDir := filepath.Join(draDownloadDir, extractionSubdir)
+		artifactFile := filepath.Join(draDownloadDir, expectedPackageName)
 		err = devtools.Extract(artifactFile, extractDir)
 		if err != nil {
 			return fmt.Errorf("extracting %q: %w", artifactFile, err)
 		}
 
-		// we can take a shortcut as the archive contains a subdirectory with the same name of the file minus the extension
-		// and we have to rename the binary file while moving using the same name
-		artifactBaseFileName := filepath.Base(artifactFile)
-		artifactBaseFileExt := filepath.Ext(artifactBaseFileName)
-		if artifactBaseFileExt == ".gz" {
-			// get the next extension to get .tar.gz if it's there
-			artifactBaseFileExt = filepath.Ext(strings.TrimSuffix(artifactBaseFileName, artifactBaseFileExt)) + artifactBaseFileExt
-		}
-
 		// this is the directory name where we can find the agent executable
-		targetArtifactName := strings.TrimSuffix(artifactBaseFileName, artifactBaseFileExt)
-		const agentBinaryName = "elastic-agent"
+		targetArtifactName := elasticAgentCoreComponent.GetRootDir(version, platform)
 		binaryExt := ""
-		if slices.Contains(artifactMeta.Os, "windows") {
+		if slices.Contains(artifactMetadata.Os, "windows") {
 			binaryExt += ".exe"
 		}
-		srcBinaryPath := filepath.Join(extractDir, targetArtifactName, agentBinaryName+binaryExt)
+
+		srcBinaryPath := filepath.Join(extractDir, targetArtifactName, elasticAgentCoreComponent.BinaryName+binaryExt)
 		srcStat, err := os.Stat(srcBinaryPath)
 		if err != nil {
 			return fmt.Errorf("stat source binary name %q: %w", srcBinaryPath, err)
 		}
 		log.Printf("Source binary %q stat: %+v", srcBinaryPath, srcStat)
 
-		dstPlatform, _ := mapManifestPlatformToAgentPlatform(fmt.Sprintf("%s-%s", artifactMeta.Os[0], artifactMeta.Architecture))
+		dstPlatform, _ := mapManifestPlatformToAgentPlatform(fmt.Sprintf("%s-%s", artifactMetadata.Os[0], artifactMetadata.Architecture))
 		dstFileName := fmt.Sprintf("elastic-agent-%s", dstPlatform) + binaryExt
 		dstBinaryPath := filepath.Join(repositoryRoot, "build", "golang-crossbuild", dstFileName)
 
@@ -1637,6 +1772,7 @@ func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error
 			return fmt.Errorf("copying %q to %q: %w", srcBinaryPath, dstBinaryPath, err)
 		}
 	}
+
 	return nil
 }
 
@@ -1686,7 +1822,7 @@ func appendComponentChecksums(versionedDropPath string, checksums map[string]str
 }
 
 // movePackagesToArchive Create archive folder and move any pre-existing artifacts into it.
-func movePackagesToArchive(dropPath string, platforms []string, packageVersion string) string {
+func movePackagesToArchive(dropPath string, platforms []string, packageVersion string, dependencies []packaging.BinarySpec) string {
 	archivePath := filepath.Join(dropPath, "archives")
 	os.MkdirAll(archivePath, 0o755)
 
@@ -1708,7 +1844,7 @@ func movePackagesToArchive(dropPath string, platforms []string, packageVersion s
 				log.Printf("--- Evaluating moving dependency %s to archive path %s\n", f, archivePath)
 			}
 			// if the matched file name does not contain the platform suffix and it's not a platform-independent package, skip it
-			if !strings.Contains(f, packageSuffix) && !isPlatformIndependentPackage(f, packageVersion) {
+			if !strings.Contains(f, packageSuffix) && !isPlatformIndependentPackage(f, packageVersion, dependencies) {
 				if mg.Verbose() {
 					log.Printf("--- Skipped moving dependency %s to archive path\n", f)
 				}
@@ -1733,7 +1869,7 @@ func movePackagesToArchive(dropPath string, platforms []string, packageVersion s
 			}
 
 			// Platform-independent packages need to be placed in the archive sub-folders for all platforms, copy instead of moving
-			if isPlatformIndependentPackage(f, packageVersion) {
+			if isPlatformIndependentPackage(f, packageVersion, nil) {
 				if err := copyFile(f, targetPath); err != nil {
 					panic(fmt.Errorf("failed copying file: %w", err))
 				}
@@ -1778,9 +1914,9 @@ func copyFile(src, dst string) error {
 	return nil
 }
 
-func isPlatformIndependentPackage(f string, packageVersion string) bool {
+func isPlatformIndependentPackage(f string, packageVersion string, dependencies []packaging.BinarySpec) bool {
 	fileBaseName := filepath.Base(f)
-	for _, spec := range packaging.ExpectedBinaries {
+	for _, spec := range dependencies {
 		packageName := spec.GetPackageName(packageVersion, "")
 		// as of now only python wheels packages are platform-independent
 		if spec.PythonWheel && (fileBaseName == packageName || fileBaseName == packageName+sha512FileExt) {
diff --git a/testing/integration/upgrade_standalone_same_commit_test.go b/testing/integration/upgrade_standalone_same_commit_test.go
index 3d508f44a81..337be4dda39 100644
--- a/testing/integration/upgrade_standalone_same_commit_test.go
+++ b/testing/integration/upgrade_standalone_same_commit_test.go
@@ -368,7 +368,7 @@ func generateNewManifestContent(t *testing.T, manifestReader io.Reader, newVersi
 	t.Logf("read old manifest: %+v", oldManifest)
 
 	// replace manifest content
-	newManifest, err := mage.GeneratePackageManifest("elastic-agent", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6], nil)
+	newManifest, err := mage.GeneratePackageManifest("elastic-agent", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6], oldManifest.Package.Fips, nil)
 	require.NoErrorf(t, err, "GeneratePackageManifest(%v, %v, %v, %v, %v) failed", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6], nil)
 
 	t.Logf("generated new manifest:\n%s", newManifest)