diff --git a/.buildkite/integration.pipeline.yml b/.buildkite/integration.pipeline.yml
index f3de81d4eac..e4f09c24735 100644
--- a/.buildkite/integration.pipeline.yml
+++ b/.buildkite/integration.pipeline.yml
@@ -118,6 +118,36 @@ steps:
           imagePrefix: "core-ubuntu-2204-aarch64"
           diskSizeGb: 200
 
+      - label: "Packaging: Containers linux/amd64 FIPS"
+        key: packaging-containers-x86-64-fips
+        env:
+          PACKAGES: "docker"
+          PLATFORMS: "linux/amd64"
+          FIPS: "true"
+        command: ".buildkite/scripts/steps/integration-package.sh"
+        artifact_paths:
+          - build/distributions/**
+        agents:
+          provider: "gcp"
+          machineType: "n2-standard-8"
+          diskSizeGb: 200
+
+      - label: "Packaging: Containers linux/arm64 FIPS"
+        key: packaging-containers-arm64-fips
+        env:
+          PACKAGES: "docker"
+          PLATFORMS: "linux/arm64"
+          FIPS: "true"
+        command: |
+          .buildkite/scripts/steps/integration-package.sh
+        artifact_paths:
+          - build/distributions/**
+        agents:
+          provider: "aws"
+          instanceType: "c6g.4xlarge"
+          imagePrefix: "core-ubuntu-2204-aarch64"
+          diskSizeGb: 200
+
   - label: "Serverless integration test"
     key: "serverless-integration-tests"
     depends_on:
diff --git a/.buildkite/pipeline.elastic-agent-binary-dra.yml b/.buildkite/pipeline.elastic-agent-binary-dra.yml
index 02bbffe3d07..ea3cfd762e4 100644
--- a/.buildkite/pipeline.elastic-agent-binary-dra.yml
+++ b/.buildkite/pipeline.elastic-agent-binary-dra.yml
@@ -25,7 +25,21 @@ steps:
       env:
         DRA_WORKFLOW: "snapshot"
         PLATFORMS: "linux/amd64 windows/amd64 darwin/amd64"
-    
+
+    - label: ":package: linux/amd64 FIPS Elastic-Agent Core Snapshot"
+      commands:
+        - .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-snapshot-x86-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "gcp"
+        machineType: "c2-standard-16"
+      env:
+        DRA_WORKFLOW: "snapshot"
+        PLATFORMS: "linux/amd64"
+        FIPS: "true"
+
     - label: ":package: linux/arm64 darwin/arm64 Elastic-Agent Core Snapshot"
       commands:
         - .buildkite/scripts/steps/build-agent-core.sh
@@ -40,6 +54,20 @@ steps:
         DRA_WORKFLOW: "snapshot"
         PLATFORMS: "linux/arm64 darwin/arm64"
 
+    - label: ":package: linux/arm64 FIPS Elastic-Agent Core Snapshot"
+      commands:
+        - .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-snapshot-arm-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "aws"
+        instanceType: "c6g.4xlarge"
+        imagePrefix: "core-ubuntu-2204-aarch64"
+      env:
+        DRA_WORKFLOW: "snapshot"
+        PLATFORMS: "linux/arm64"
+        FIPS: "true"
     - wait
 
     - label: ":hammer: DRA Publish Elastic-Agent Core Snapshot"
@@ -86,6 +114,21 @@ steps:
         DRA_WORKFLOW: "staging"
         PLATFORMS: "linux/amd64 windows/amd64 darwin/amd64"
 
+    - label: ":package: linux/amd64 FIPS Elastic-Agent Core staging"
+      commands: |
+        source .buildkite/scripts/version_qualifier.sh
+        .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-staging-x86-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "gcp"
+        machineType: "c2-standard-16"
+      env:
+        DRA_WORKFLOW: "staging"
+        PLATFORMS: "linux/amd64"
+        FIPS: "true"
+
     - label: ":package: linux/arm64 darwin/arm64 Elastic-Agent Core staging"
       commands: |
         source .buildkite/scripts/version_qualifier.sh
@@ -101,6 +144,22 @@ steps:
         DRA_WORKFLOW: "dra-core-staging"
         PLATFORMS: "linux/arm64 darwin/arm64"
 
+    - label: ":package: linux/arm64 FIPS Elastic-Agent Core staging"
+      commands: |
+        source .buildkite/scripts/version_qualifier.sh
+        .buildkite/scripts/steps/build-agent-core.sh
+      key: "build-dra-staging-arm-fips"
+      artifact_paths:
+        - "build/distributions/**/*"
+      agents:
+        provider: "aws"
+        instanceType: "c6g.4xlarge"
+        imagePrefix: "core-ubuntu-2204-aarch64"
+      env:
+        DRA_WORKFLOW: "dra-core-staging"
+        PLATFORMS: "linux/arm64"
+        FIPS: "true"
+
     - wait
 
     - label: ":hammer: DRA Publish Elastic-Agent Core staging"
diff --git a/dev-tools/mage/build.go b/dev-tools/mage/build.go
index 92da55273b1..c5d879a6510 100644
--- a/dev-tools/mage/build.go
+++ b/dev-tools/mage/build.go
@@ -18,6 +18,8 @@ import (
 	"github.com/magefile/mage/sh"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
+
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 )
 
 // BuildArgs are the arguments used for the "build" target and they define how
@@ -73,6 +75,7 @@ func DefaultBuildArgs() BuildArgs {
 	args := BuildArgs{
 		Name: BeatName,
 		CGO:  build.Default.CgoEnabled,
+		Env:  map[string]string{},
 		Vars: map[string]string{
 			elasticAgentModulePath + "/version.buildTime": "{{ date }}",
 			elasticAgentModulePath + "/version.commit":    "{{ commit }}",
@@ -88,8 +91,16 @@ func DefaultBuildArgs() BuildArgs {
 	}
 
 	if FIPSBuild {
-		args.ExtraFlags = append(args.ExtraFlags, "-tags=requirefips")
-		args.CGO = true
+
+		fipsConfig := packaging.Settings().FIPS
+
+		for _, tag := range fipsConfig.Compile.Tags {
+			args.ExtraFlags = append(args.ExtraFlags, "-tags="+tag)
+		}
+		args.CGO = args.CGO || fipsConfig.Compile.CGO
+		for varName, value := range fipsConfig.Compile.Env {
+			args.Env[varName] = value
+		}
 	}
 
 	if DevBuild {
@@ -191,11 +202,6 @@ func Build(params BuildArgs) error {
 		cgoEnabled = "1"
 	}
 
-	if FIPSBuild {
-		cgoEnabled = "1"
-		env["GOEXPERIMENT"] = "systemcrypto"
-	}
-
 	env["CGO_ENABLED"] = cgoEnabled
 
 	// Spec
diff --git a/dev-tools/mage/checksums.go b/dev-tools/mage/checksums.go
index b12a4e3ec3e..d885d70f7ca 100644
--- a/dev-tools/mage/checksums.go
+++ b/dev-tools/mage/checksums.go
@@ -9,12 +9,12 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/magefile/mage/mg"
 	"github.com/otiai10/copy"
 
 	"github.com/elastic/elastic-agent/dev-tools/mage/manifest"
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 )
 
 const ComponentSpecFileSuffix = ".spec.yml"
@@ -40,23 +40,53 @@ func CopyComponentSpecs(componentName, versionedDropPath string) (string, error)
 	return GetSHA512Hash(targetPath)
 }
 
-// This is a helper function for flattenDependencies that's used when not packaging from a manifest
-func ChecksumsWithoutManifest(versionedFlatPath string, versionedDropPath string, packageVersion string) map[string]string {
-	globExpr := filepath.Join(versionedFlatPath, fmt.Sprintf("*%s*", packageVersion))
-	if mg.Verbose() {
-		log.Printf("Finding files to copy with %s", globExpr)
-	}
-	files, err := filepath.Glob(globExpr)
-	if err != nil {
-		panic(err)
-	}
-	if mg.Verbose() {
-		log.Printf("Validating checksums for %+v", files)
-		log.Printf("--- Copying into %s: %v", versionedDropPath, files)
-	}
-
+// ChecksumsWithoutManifest is a helper function for flattenDependencies that's used when not packaging from a manifest.
+// This function will iterate over the dependencies, resolve *exactly* the package name for each dependency and platform using the passed
+// dependenciesVersion, and it will copy the extracted files contained in the rootDir of each dependency from the versionedFlatPath
+// (a directory containing all the extracted dependencies per platform) to the versionedDropPath (a drop path by platform
+// that will be used to compose the package content)
+// ChecksumsWithoutManifest will accumulate the checksums of each component spec that is copied, and return it to the caller.
+func ChecksumsWithoutManifest(platform string, dependenciesVersion string, versionedFlatPath string, versionedDropPath string, dependencies []packaging.BinarySpec) map[string]string {
 	checksums := make(map[string]string)
-	for _, f := range files {
+
+	for _, dep := range dependencies {
+
+		if dep.PythonWheel {
+			if mg.Verbose() {
+				log.Printf(">>>>>>> Component %s/%s is a Python wheel, skipping", dep.ProjectName, dep.BinaryName)
+			}
+			continue
+		}
+
+		if !dep.SupportsPlatform(platform) {
+			if mg.Verbose() {
+				log.Printf(">>>>>>> Component %s/%s does not support platform %s, skipping", dep.ProjectName, dep.BinaryName, platform)
+			}
+			continue
+		}
+
+		atLeastOnePackageTypeSelected := false
+		for _, pkgType := range dep.PackageTypes {
+			if IsPackageTypeSelected(PackageType(pkgType)) {
+				atLeastOnePackageTypeSelected = true
+				break
+			}
+		}
+
+		if !atLeastOnePackageTypeSelected {
+			if mg.Verbose() {
+				log.Printf(">>>>>>> Component %s/%s supported package types %v do not overlap selected package types %v, skipping", dep.ProjectName, dep.BinaryName, dep.PackageTypes, SelectedPackageTypes)
+			}
+			continue
+		}
+
+		srcDir := filepath.Join(versionedFlatPath, dep.GetRootDir(dependenciesVersion, platform))
+
+		if mg.Verbose() {
+			log.Printf("Validating checksums for %+v", dep.BinaryName)
+			log.Printf("--- Copying into %s: %v", versionedDropPath, srcDir)
+		}
+
 		options := copy.Options{
 			OnSymlink: func(_ string) copy.SymlinkAction {
 				return copy.Shallow
@@ -64,222 +94,99 @@ func ChecksumsWithoutManifest(versionedFlatPath string, versionedDropPath string
 			Sync: true,
 		}
 		if mg.Verbose() {
-			log.Printf("> prepare to copy %s into %s ", f, versionedDropPath)
+			log.Printf("> prepare to copy %s into %s ", srcDir, versionedDropPath)
 		}
 
-		err = copy.Copy(f, versionedDropPath, options)
+		err := copy.Copy(srcDir, versionedDropPath, options)
 		if err != nil {
-			panic(err)
+			panic(fmt.Errorf("copying dependency %s files from %q to %q: %w", dep.BinaryName, srcDir, versionedDropPath, err))
 		}
 
 		// copy spec file for match
-		specName := filepath.Base(f)
-		idx := strings.Index(specName, "-"+packageVersion)
-		if idx != -1 {
-			specName = specName[:idx]
-		}
 		if mg.Verbose() {
-			log.Printf(">>>> Looking to copy spec file: [%s]", specName)
+			log.Printf(">>>> Looking to copy spec file: [%s]", dep.BinaryName)
 		}
 
-		checksum, err := CopyComponentSpecs(specName, versionedDropPath)
+		checksum, err := CopyComponentSpecs(dep.BinaryName, versionedDropPath)
 		if err != nil {
 			panic(err)
 		}
 
-		checksums[specName+ComponentSpecFileSuffix] = checksum
+		checksums[dep.BinaryName+ComponentSpecFileSuffix] = checksum
 	}
 
 	return checksums
 }
 
-// This is a helper function for flattenDependencies that's used when building from a manifest
-func ChecksumsWithManifest(requiredPackage string, versionedFlatPath string, versionedDropPath string, manifestResponse *manifest.Build) map[string]string {
+// ChecksumsWithManifest is a helper function for flattenDependencies that's used when building from a manifest.
+// This function will iterate over the dependencies, resolve the package name for each dependency and platform using the manifest,
+// (there may be some variability there in case the manifest does not include an exact match for the expected filename),
+// and it will copy the extracted files contained in the rootDir of each dependency from the versionedFlatPath
+// (a directory containing all the extracted dependencies per platform) to the versionedDropPath (a drop path by platform
+// that will be used to compose the package content)
+// ChecksumsWithManifest will accumulate the checksums of each component spec that is copied, and return it to the caller.
+func ChecksumsWithManifest(platform string, dependenciesVersion string, versionedFlatPath string, versionedDropPath string, manifestResponse *manifest.Build, dependencies []packaging.BinarySpec) map[string]string {
 	checksums := make(map[string]string)
 	if manifestResponse == nil {
 		return checksums
 	}
 
-	// Iterate over the component projects in the manifest
-	projects := manifestResponse.Projects
-	for componentName := range projects {
-		// Iterate over the individual package files within each component project
-		for pkgName := range projects[componentName].Packages {
-			// Only care about packages that match the required package constraint (os/arch)
-			if strings.Contains(pkgName, requiredPackage) {
-				// Iterate over the external binaries that we care about for packaging agent
-				for _, spec := range manifest.ExpectedBinaries {
-					// If the individual package doesn't match the expected prefix, then continue
-					// FIXME temporarily skip fips packages until elastic-agent FIPS is in place
-					if !strings.HasPrefix(pkgName, spec.BinaryName) || strings.Contains(pkgName, "-fips-") {
-						if mg.Verbose() {
-							log.Printf(">>>>>>> Package [%s] skipped", pkgName)
-						}
-						continue
-					}
-
-					if mg.Verbose() {
-						log.Printf(">>>>>>> Package [%s] matches requiredPackage [%s]", pkgName, requiredPackage)
-					}
-
-					// Get the version from the component based on the version in the package name
-					// This is useful in the case where it's an Independent Agent Release, where
-					// the opted-in projects will be one patch version ahead of the rest of the
-					// opted-out/previously-released projects
-					componentVersion := getComponentVersion(componentName, requiredPackage, projects[componentName])
-					if mg.Verbose() {
-						log.Printf(">>>>>>> Component [%s]/[%s] version is [%s]", componentName, requiredPackage, componentVersion)
-					}
-
-					// Combine the package name w/ the versioned flat path
-					fullPath := filepath.Join(versionedFlatPath, pkgName)
-
-					// Eliminate the file extensions to get the proper directory
-					// name that we need to copy
-					var dirToCopy string
-					if strings.HasSuffix(fullPath, ".tar.gz") {
-						dirToCopy = fullPath[:strings.LastIndex(fullPath, ".tar.gz")]
-					} else if strings.HasSuffix(fullPath, ".zip") {
-						dirToCopy = fullPath[:strings.LastIndex(fullPath, ".zip")]
-					} else {
-						dirToCopy = fullPath
-					}
-					if mg.Verbose() {
-						log.Printf(">>>>>>> Calculated directory to copy: [%s]", dirToCopy)
-					}
-
-					// cloud-defend path exception
-					// When untarred, cloud defend untars to:
-					//    cloud-defend-8.14.0-arm64
-					// but the manifest (and most of this code) expects to be the same as
-					// the name in the manifest, which is:
-					//    cloud-defend-8.14.0-linux-x86_64
-					// So we have to do a bit of a transformation here
-					if strings.Contains(dirToCopy, "cloud-defend") {
-						if strings.Contains(dirToCopy, "x86_64") {
-							dirToCopy = fixCloudDefendDirPath(dirToCopy, componentVersion, "x86_64", "amd64")
-						}
-						if strings.Contains(dirToCopy, "arm64") {
-							// Not actually replacing the arch, but removing the "linux"
-							dirToCopy = fixCloudDefendDirPath(dirToCopy, componentVersion, "arm64", "arm64")
-						}
-						if mg.Verbose() {
-							log.Printf(">>>>>>> Adjusted cloud-defend directory to copy: [%s]", dirToCopy)
-						}
-					}
-
-					// Set copy options
-					options := copy.Options{
-						OnSymlink: func(_ string) copy.SymlinkAction {
-							return copy.Shallow
-						},
-						Sync: true,
-					}
-					if mg.Verbose() {
-						log.Printf("> prepare to copy %s into %s ", dirToCopy, versionedDropPath)
-					}
-
-					// Do the copy
-					err := copy.Copy(dirToCopy, versionedDropPath, options)
-					if err != nil {
-						panic(err)
-					}
-
-					// copy spec file for match
-					specName := filepath.Base(dirToCopy)
-					idx := strings.Index(specName, "-"+componentVersion)
-					if idx != -1 {
-						specName = specName[:idx]
-					}
-					if mg.Verbose() {
-						log.Printf(">>>> Looking to copy spec file: [%s]", specName)
-					}
-
-					checksum, err := CopyComponentSpecs(specName, versionedDropPath)
-					if err != nil {
-						panic(err)
-					}
-
-					checksums[specName+ComponentSpecFileSuffix] = checksum
-				}
+	// Iterate over the external binaries that we care about for packaging agent
+	for _, spec := range dependencies {
+
+		if spec.PythonWheel {
+			if mg.Verbose() {
+				log.Printf(">>>>>>> Component %s/%s is a Python wheel, skipping", spec.ProjectName, spec.BinaryName)
 			}
+			continue
 		}
-	}
 
-	return checksums
-}
+		if !spec.SupportsPlatform(platform) {
+			log.Printf(">>>>>>> Component %s/%s does not support platform %s, skipping", spec.ProjectName, spec.BinaryName, platform)
+			continue
+		}
 
-// This function is used when building with a Manifest.  In that manifest, it's possible
-// for projects in an Independent Agent Release to have different versions since the opted-in
-// ones will be one patch version higher than the opted-out/previously released projects.
-// This function tries to find the versions from the package name
-func getComponentVersion(componentName string, requiredPackage string, componentProject manifest.Project) string {
-	var componentVersion string
-	var foundIt bool
-	// Iterate over all the packages in the component project
-	for pkgName := range componentProject.Packages {
-		// Only care about the external binaries that we want to package
-		for _, spec := range manifest.ExpectedBinaries {
-			// If the given component name doesn't match the external binary component, skip
-			// FIXME temporarily skip fips packages until elastic-agent FIPS is in place
-			if componentName != spec.ProjectName || strings.Contains(pkgName, "-fips-") {
-				continue
+		manifestPackage, err := manifest.ResolveManifestPackage(manifestResponse.Projects[spec.ProjectName], spec, dependenciesVersion, platform)
+		if err != nil {
+			if mg.Verbose() {
+				log.Printf(">>>>>>> Error resolving package for [%s/%s]", spec.BinaryName, platform)
 			}
+			continue
+		}
 
-			// Split the package name on the binary name prefix plus a dash
-			firstSplit := strings.Split(pkgName, spec.BinaryName+"-")
-			if len(firstSplit) < 2 {
-				continue
-			}
+		rootDir := spec.GetRootDir(manifestPackage.ActualVersion, platform)
 
-			// Get the second part of the first split
-			secondHalf := firstSplit[1]
-			if len(secondHalf) < 2 {
-				continue
-			}
+		// Combine the package name w/ the versioned flat path
+		fullPath := filepath.Join(versionedFlatPath, rootDir)
 
-			// Make sure the second half matches the required package
-			if strings.Contains(secondHalf, requiredPackage) {
-				// ignore packages with names where this splitting doesn't results in proper version
-				if strings.Contains(secondHalf, "docker-image") {
-					continue
-				}
-				if strings.Contains(secondHalf, "oss-") {
-					continue
-				}
-
-				// The component version should be the first entry after splitting w/ the requiredPackage
-				componentVersion = strings.Split(secondHalf, "-"+requiredPackage)[0]
-				foundIt = true
-				// break out of inner loop
-				break
-			}
-		}
-		if foundIt {
-			// break out of outer loop
-			break
+		if mg.Verbose() {
+			log.Printf(">>>>>>> Calculated directory to copy: [%s]", fullPath)
 		}
-	}
 
-	if componentVersion == "" {
-		errMsg := fmt.Sprintf("Unable to determine component version for [%s]", componentName)
-		panic(errMsg)
-	}
+		// Set copy options
+		options := copy.Options{
+			OnSymlink: func(_ string) copy.SymlinkAction {
+				return copy.Shallow
+			},
+			Sync: true,
+		}
+		if mg.Verbose() {
+			log.Printf("> prepare to copy %s into %s ", fullPath, versionedDropPath)
+		}
 
-	return componentVersion
-}
+		// Do the copy
+		err = copy.Copy(fullPath, versionedDropPath, options)
+		if err != nil {
+			panic(err)
+		}
 
-// This is a helper function for the cloud-defend package.
-// When it is untarred, it does not have the same dirname as the package name.
-// This adjusts for that and returns the actual path on disk for cloud-defend
-func fixCloudDefendDirPath(dirPath string, componentVersion string, expectedArch string, actualArch string) string {
-	fixedDirPath := dirPath
+		checksum, err := CopyComponentSpecs(spec.BinaryName, versionedDropPath)
+		if err != nil {
+			panic(err)
+		}
 
-	cloudDefendExpectedDirName := fmt.Sprintf("cloud-defend-%s-linux-%s", componentVersion, expectedArch)
-	cloudDefendActualDirName := fmt.Sprintf("cloud-defend-%s-%s", componentVersion, actualArch)
-	if strings.Contains(fixedDirPath, cloudDefendExpectedDirName) {
-		fixedDirPath = strings.ReplaceAll(fixedDirPath, cloudDefendExpectedDirName, cloudDefendActualDirName)
+		checksums[spec.BinaryName+ComponentSpecFileSuffix] = checksum
 	}
 
-	return fixedDirPath
+	return checksums
 }
diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go
index c7340490d41..8c4e70d150e 100644
--- a/dev-tools/mage/crossbuild.go
+++ b/dev-tools/mage/crossbuild.go
@@ -30,11 +30,11 @@ const defaultCrossBuildTarget = "golangCrossBuild"
 var Platforms = BuildPlatforms.Defaults()
 
 // SelectedPackageTypes is the list of package types. If empty, all packages types
-// are considered to be selected (see isPackageTypeSelected).
+// are considered to be selected (see IsPackageTypeSelected).
 var SelectedPackageTypes []PackageType
 
 // SelectedDockerVariants is the list of docker variants. If empty, all docker variants
-// are considered to be selected (see isDockerVariantSelected).
+// are considered to be selected (see IsDockerVariantSelected).
 var SelectedDockerVariants []DockerVariant
 
 func init() {
diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go
index 6a0cd8609ac..a3290d69a1a 100644
--- a/dev-tools/mage/dockerbuilder.go
+++ b/dev-tools/mage/dockerbuilder.go
@@ -182,9 +182,7 @@ func (b *dockerBuilder) dockerBuild() (string, error) {
 	if b.Snapshot {
 		tag = tag + "-SNAPSHOT"
 	}
-	if b.FIPS {
-		tag = tag + "-fips"
-	}
+
 	if repository := b.ExtraVars["repository"]; repository != "" {
 		tag = fmt.Sprintf("%s/%s", repository, tag)
 	}
diff --git a/dev-tools/mage/manifest/manifest.go b/dev-tools/mage/manifest/manifest.go
index 1db9c21dbe1..7c33f08e8b3 100644
--- a/dev-tools/mage/manifest/manifest.go
+++ b/dev-tools/mage/manifest/manifest.go
@@ -13,13 +13,14 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 
 	"github.com/magefile/mage/mg"
 	"golang.org/x/sync/errgroup"
 
-	"github.com/elastic/elastic-agent/dev-tools/mage/pkgcommon"
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 	"github.com/elastic/elastic-agent/pkg/version"
 )
 
@@ -94,73 +95,6 @@ var PlatformPackages = map[string]string{
 	"windows/amd64": "windows-x86_64.zip",
 }
 
-// ExpectedBinaries  is a map of binaries agent needs to their project in the unified-release manager.
-// The project names are those used in the "projects" list in the unified release manifest.
-// See the sample manifests in the testdata directory.
-var ExpectedBinaries = []BinarySpec{
-	{BinaryName: "agentbeat", ProjectName: "beats", Platforms: AllPlatforms, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "apm-server", ProjectName: "apm-server", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}, {"windows", "x86_64"}, {"darwin", "x86_64"}}, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "cloudbeat", ProjectName: "cloudbeat", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}}, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "cloud-defend", ProjectName: "cloud-defend", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}}, PackageTypes: []pkgcommon.PackageType{pkgcommon.Docker}},
-	{BinaryName: "connectors", ProjectName: "connectors", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}}, PythonWheel: true, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "endpoint-security", ProjectName: "endpoint-dev", Platforms: AllPlatforms, PackageTypes: []pkgcommon.PackageType{pkgcommon.RPM, pkgcommon.Deb, pkgcommon.Zip, pkgcommon.TarGz}},
-	{BinaryName: "fleet-server", ProjectName: "fleet-server", Platforms: AllPlatforms, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "pf-elastic-collector", ProjectName: "prodfiler", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}}, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "pf-elastic-symbolizer", ProjectName: "prodfiler", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}}, PackageTypes: pkgcommon.AllPackageTypes},
-	{BinaryName: "pf-host-agent", ProjectName: "prodfiler", Platforms: []Platform{{"linux", "x86_64"}, {"linux", "arm64"}}, PackageTypes: pkgcommon.AllPackageTypes},
-}
-
-type BinarySpec struct {
-	BinaryName   string
-	ProjectName  string
-	Platforms    []Platform
-	PythonWheel  bool
-	PackageTypes []pkgcommon.PackageType
-}
-
-func (proj BinarySpec) SupportsPlatform(platform string) bool {
-	for _, p := range proj.Platforms {
-		if p.Platform() == platform {
-			return true
-		}
-	}
-	return false
-}
-
-func (proj BinarySpec) SupportsPackageType(pkgType pkgcommon.PackageType) bool {
-	for _, p := range proj.PackageTypes {
-		if p == pkgType {
-			return true
-		}
-	}
-	return false
-}
-
-func (proj BinarySpec) GetPackageName(version string, platform string) string {
-	if proj.PythonWheel {
-		return fmt.Sprintf("%s-%s.zip", proj.BinaryName, version)
-	}
-	return fmt.Sprintf("%s-%s-%s", proj.BinaryName, version, PlatformPackages[platform])
-}
-
-type Platform struct {
-	OS   string
-	Arch string
-}
-
-// Converts to the format expected on the mage command line "linux", "x86_64" = "linux/amd64"
-func (p Platform) Platform() string {
-	if p.Arch == "x86_64" {
-		p.Arch = "amd64"
-	}
-	if p.Arch == "aarch64" {
-		p.Arch = "arm64"
-	}
-	return p.OS + "/" + p.Arch
-}
-
-var AllPlatforms = []Platform{{"linux", "x86_64"}, {"linux", "arm64"}, {"windows", "x86_64"}, {"darwin", "x86_64"}, {"darwin", "aarch64"}}
-
 // DownloadManifest is going to download the given manifest file and return the ManifestResponse
 func DownloadManifest(ctx context.Context, manifest string) (Build, error) {
 	manifestUrl, urlError := url.Parse(manifest)
@@ -192,7 +126,7 @@ func DownloadManifest(ctx context.Context, manifest string) (Build, error) {
 
 // DownloadComponents is going to download a set of components from the given manifest into the destination
 // dropPath folder in order to later use that folder for packaging
-func DownloadComponents(ctx context.Context, manifest string, platforms []string, dropPath string) error {
+func DownloadComponents(ctx context.Context, expectedBinaries []packaging.BinarySpec, manifest string, platforms []string, dropPath string) error {
 	manifestResponse, err := DownloadManifest(ctx, manifest)
 	if err != nil {
 		return fmt.Errorf("failed to download remote manifest file %w", err)
@@ -211,7 +145,7 @@ func DownloadComponents(ctx context.Context, manifest string, platforms []string
 
 	errGrp, downloadsCtx := errgroup.WithContext(ctx)
 	// for project, pkgs := range expectedProjectPkgs() {
-	for _, spec := range ExpectedBinaries {
+	for _, spec := range expectedBinaries {
 		for _, platform := range platforms {
 			targetPath := filepath.Join(dropPath)
 			err := os.MkdirAll(targetPath, 0755)
@@ -225,12 +159,12 @@ func DownloadComponents(ctx context.Context, manifest string, platforms []string
 				continue
 			}
 
-			pkgURL, err := resolveManifestPackage(projects[spec.ProjectName], spec, majorMinorPatchVersion, platform)
+			resolvedPackage, err := ResolveManifestPackage(projects[spec.ProjectName], spec, majorMinorPatchVersion, platform)
 			if err != nil {
 				return err
 			}
 
-			for _, p := range pkgURL {
+			for _, p := range resolvedPackage.URLs {
 				log.Printf(">>>>>>>>> Downloading [%s] [%s] ", spec.BinaryName, p)
 				pkgFilename := path.Base(p)
 				downloadTarget := filepath.Join(targetPath, pkgFilename)
@@ -252,76 +186,121 @@ func DownloadComponents(ctx context.Context, manifest string, platforms []string
 	return nil
 }
 
-func resolveManifestPackage(project Project, spec BinarySpec, version string, platform string) ([]string, error) {
-	var val Package
-	var ok bool
+type ResolvedPackage struct {
+	Name          string
+	ActualVersion string
+	URLs          []string
+}
+
+func ResolveManifestPackage(project Project, spec packaging.BinarySpec, dependencyVersion string, platform string) (*ResolvedPackage, error) {
 
 	// Try the normal/easy case first
-	packageName := spec.GetPackageName(version, platform)
-	val, ok = project.Packages[packageName]
-	if !ok {
-		// If we didn't find it, it may be an Independent Agent Release, where
-		// the opted-in projects will have a patch version one higher than
-		// the rest of the projects, so we need to seek that out
+	packageName := spec.GetPackageName(dependencyVersion, platform)
+	if mg.Verbose() {
+		log.Printf(">>>>>>>>>>> Got packagename [%s], looking for exact match", packageName)
+	}
+
+	if exactMatch, ok := project.Packages[packageName]; ok {
+		// We found the exact filename we are looking for
 		if mg.Verbose() {
-			log.Printf(">>>>>>>>>>> Looking for package [%s] of type [%s]", spec.BinaryName, PlatformPackages[platform])
+			log.Printf(">>>>>>>>>>> Found exact match packageName for [%s, %s]: %s", project.Branch, project.CommitHash, exactMatch)
 		}
 
-		var foundIt bool
-		for pkgName := range project.Packages {
-			if strings.HasPrefix(pkgName, spec.BinaryName) {
-				firstSplit := strings.Split(pkgName, spec.BinaryName+"-")
-				if len(firstSplit) < 2 {
-					continue
-				}
+		return &ResolvedPackage{
+			Name:          packageName,
+			ActualVersion: dependencyVersion,
+			URLs:          []string{exactMatch.URL, exactMatch.ShaURL, exactMatch.AscURL},
+		}, nil
+	}
 
-				secondHalf := firstSplit[1]
-				// Make sure we're finding one w/ the same required package type
-				if strings.Contains(secondHalf, PlatformPackages[platform]) {
-
-					// Split again after the version with the required package string
-					secondSplit := strings.Split(secondHalf, "-"+PlatformPackages[platform])
-					if len(secondSplit) < 2 {
-						continue
-					}
-
-					// The first element after the split should normally be the version
-					pkgVersion := secondSplit[0]
-					if mg.Verbose() {
-						log.Printf(">>>>>>>>>>> Using derived version for package [%s]: %s ", pkgName, pkgVersion)
-					}
-
-					// Create a project/package key with the package, derived version, and required package
-					foundPkgKey := fmt.Sprintf("%s-%s-%s", spec.BinaryName, pkgVersion, PlatformPackages[platform])
-					if mg.Verbose() {
-						log.Printf(">>>>>>>>>>> Looking for project package key: [%s]", foundPkgKey)
-					}
-
-					// Get the package value, if it exists
-					val, ok = project.Packages[foundPkgKey]
-					if !ok {
-						continue
-					}
-
-					if mg.Verbose() {
-						log.Printf(">>>>>>>>>>> Found package key [%s]", foundPkgKey)
-					}
-
-					foundIt = true
-				}
-			}
-		}
+	// If we didn't find it, it may be an Independent Agent Release, where
+	// the opted-in projects will have a patch version one higher than
+	// the rest of the projects, so we "relax" the version constraint
+	return resolveManifestPackageUsingRelaxedVersion(project, spec, dependencyVersion, platform)
+}
 
-		if !foundIt {
-			return nil, fmt.Errorf("package [%s] not found in project manifest at %s", packageName, project.ExternalArtifactsManifestURL)
-		}
+func resolveManifestPackageUsingRelaxedVersion(project Project, spec packaging.BinarySpec, dependencyVersion string, platform string) (*ResolvedPackage, error) {
+	// start with the rendered package name
+	packageName := spec.GetPackageName(dependencyVersion, platform)
+
+	// Find the original version in the rendered filename
+	versionIndex := strings.Index(packageName, dependencyVersion)
+	if versionIndex == -1 {
+		return nil, fmt.Errorf("no exact match and filename %q does not seem to contain dependencyVersion %q to try a fallback", packageName, dependencyVersion)
+	}
+
+	// obtain a regexp from the exact version string that allows for some flexibility on patch version, prerelease and build metadata tokens
+	relaxedVersion, err := relaxVersion(dependencyVersion)
+	if err != nil {
+		return nil, fmt.Errorf("relaxing dependencyVersion %q: %w", dependencyVersion, err)
 	}
 
 	if mg.Verbose() {
-		log.Printf(">>>>>>>>>>> Project branch/commit [%s, %s]", project.Branch, project.CommitHash)
+		log.Printf(">>>>>>>>>>> Couldn't find exact match, relaxing agent dependencyVersion to %s", relaxedVersion)
 	}
 
-	return []string{val.URL, val.ShaURL, val.AscURL}, nil
+	// locate the original version in the filename and substitute the relaxed version regexp, quoting everything around that
+	relaxedPackageName := regexp.QuoteMeta(packageName[:versionIndex])
+	relaxedPackageName += `(?P<version>` + relaxedVersion + `)`
+	relaxedPackageName += regexp.QuoteMeta(packageName[versionIndex+len(dependencyVersion):])
+
+	if mg.Verbose() {
+		log.Printf(">>>>>>>>>>> Attempting to match a filename with %s", relaxedPackageName)
+	}
+
+	relaxedPackageNameRegexp, err := regexp.Compile(relaxedPackageName)
+	if err != nil {
+		return nil, fmt.Errorf("compiling relaxed package name regex %q: %w", relaxedPackageName, err)
+	}
+
+	for pkgName, pkg := range project.Packages {
+		if mg.Verbose() {
+			log.Printf(">>>>>>>>>>> Evaluating filename %s", pkgName)
+		}
+		if submatches := relaxedPackageNameRegexp.FindStringSubmatch(pkgName); len(submatches) > 0 {
+			if mg.Verbose() {
+				log.Printf(">>>>>>>>>>> Found matching packageName for [%s, %s]: %s", project.Branch, project.CommitHash, pkgName)
+			}
+			return &ResolvedPackage{
+				Name:          pkgName,
+				ActualVersion: submatches[1],
+				URLs:          []string{pkg.URL, pkg.ShaURL, pkg.AscURL},
+			}, nil
+		}
+	}
+
+	return nil, fmt.Errorf("package [%s] not found in project manifest at %s using relaxed version %q", packageName, project.ExternalArtifactsManifestURL, relaxedPackageName)
+}
+
+// versionRegexp is taken from https://semver.org/ (see the FAQ section/Is there a suggested regular expression (RegEx) to check a SemVer string?)
+const versionRegexp = `^(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(0|[1-9]\d*)(?:-(?:(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?:[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$`
+const anyPatchVersionRegexp = `(?:0|[1-9]\d*)`
+
+var versionRegExp = regexp.MustCompile(versionRegexp)
+
+func relaxVersion(version string) (string, error) {
+	matchIndices := versionRegExp.FindSubmatchIndex([]byte(version))
+	// Matches index pairs are (0,1) for the whole regexp and (2,3) for the patch group
+	// check that we have matched correctly
+	if len(matchIndices) < 4 {
+		return "", fmt.Errorf("failed to match regexp for version [%s]", version)
+	}
+
+	// take the starting index of the patch version
+	patchStartIndex := matchIndices[2]
+	// copy everything before the patch version escaping the regexp
+	relaxedVersion := regexp.QuoteMeta(version[:patchStartIndex])
+	// add the patch regexp
+	relaxedVersion += anyPatchVersionRegexp
+	// check if there's more characters after the patch version
+	remainderIndex := matchIndices[3]
+	if remainderIndex < len(version) {
+		// This is a looser regexp that allows anything beyond the major version to change (while still enforcing a valid patch version though)
+		// see TestResolveManifestPackage/Independent_Agent_Staging_8.14_apm-server and TestResolveManifestPackage/Independent_Agent_Staging_8.14_endpoint-dev
+		// Be more relaxed and allow for any character sequence after this
+		relaxedVersion += `.*`
+	}
+	return relaxedVersion, nil
 }
 
 func DownloadPackage(ctx context.Context, downloadUrl string, target string) error {
@@ -331,12 +310,12 @@ func DownloadPackage(ctx context.Context, downloadUrl string, target string) err
 	}
 	valid := false
 	for _, manifestHost := range AllowedManifestHosts {
-		if manifestHost == parsedURL.Host {
+		if manifestHost == parsedURL.Hostname() {
 			valid = true
 		}
 	}
 	if !valid {
-		log.Printf("Not allowed %s, valid ones are %+v", parsedURL.Host, AllowedManifestHosts)
+		log.Printf("Not allowed %s, valid ones are %+v", parsedURL.Hostname(), AllowedManifestHosts)
 		return errorNotAllowedManifestURL
 	}
 	cleanUrl := fmt.Sprintf("https://%s%s", parsedURL.Host, parsedURL.Path)
diff --git a/dev-tools/mage/manifest/manifest_test.go b/dev-tools/mage/manifest/manifest_test.go
index b975149aa27..76a0d53cd2e 100644
--- a/dev-tools/mage/manifest/manifest_test.go
+++ b/dev-tools/mage/manifest/manifest_test.go
@@ -7,12 +7,15 @@ package manifest
 import (
 	_ "embed"
 	"encoding/json"
+	"fmt"
 	"log"
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 )
 
 var (
@@ -135,7 +138,7 @@ func TestResolveManifestPackage(t *testing.T) {
 			projects := manifestJson.Projects
 
 			// Verify the component name is in the list of expected packages.
-			spec, ok := findBinarySpec(tc.binary)
+			spec, ok := findBinarySpec(t, tc.binary)
 			assert.True(t, ok)
 
 			if !spec.SupportsPlatform(tc.platform) {
@@ -143,22 +146,80 @@ func TestResolveManifestPackage(t *testing.T) {
 				return
 			}
 
-			urlList, err := resolveManifestPackage(projects[tc.projectName], spec, manifestJson.Version, tc.platform)
+			resolvedPackage, err := ResolveManifestPackage(projects[tc.projectName], spec, manifestJson.Version, tc.platform)
 			require.NoError(t, err)
+			require.NotNil(t, resolvedPackage)
 
-			assert.Len(t, urlList, 3)
-			for _, url := range urlList {
+			assert.Len(t, resolvedPackage.URLs, 3)
+			for _, url := range resolvedPackage.URLs {
 				assert.Contains(t, tc.expectedUrlList, url)
 			}
 		})
 	}
 }
 
-func findBinarySpec(name string) (BinarySpec, bool) {
-	for _, spec := range ExpectedBinaries {
+func findBinarySpec(t *testing.T, name string) (packaging.BinarySpec, bool) {
+	components, err := packaging.Components()
+	require.NoError(t, err, "error loading components from packages.yml")
+
+	for _, spec := range components {
 		if spec.BinaryName == name {
 			return spec, true
 		}
 	}
-	return BinarySpec{}, false
+	return packaging.BinarySpec{}, false
+}
+
+func TestRelaxVersion(t *testing.T) {
+	type args struct {
+		version string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    string
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{
+			name: "major-minor-patch",
+			args: args{
+				version: "1.2.3",
+			},
+			want:    `1\.2\.(?:0|[1-9]\d*)`,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "major-minor-patch-snapshot",
+			args: args{
+				version: "1.2.3-SNAPSHOT",
+			},
+			want:    `1\.2\.(?:0|[1-9]\d*).*`,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "major-minor-patch-snapshot-buildmeta",
+			args: args{
+				version: "1.2.3-SNAPSHOT+build20250328112233",
+			},
+			want:    `1\.2\.(?:0|[1-9]\d*).*`,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "not a semver",
+			args: args{
+				version: "foobar",
+			},
+			want:    "",
+			wantErr: assert.Error,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := relaxVersion(tt.args.version)
+			if !tt.wantErr(t, err, fmt.Sprintf("relaxVersion(%v)", tt.args.version)) {
+				return
+			}
+			assert.Equalf(t, tt.want, got, "relaxVersion(%v)", tt.args.version)
+		})
+	}
 }
diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go
index 6ec09f2e598..2103305e48d 100644
--- a/dev-tools/mage/pkg.go
+++ b/dev-tools/mage/pkg.go
@@ -34,6 +34,15 @@ func Package() error {
 	// platforms := updateWithDarwinUniversal(Platforms)
 	platforms := Platforms
 
+	if mg.Verbose() {
+		debugSelectedPackageSpecsWithPlatform := make([]string, 0, len(Packages))
+		for _, p := range Packages {
+			debugSelectedPackageSpecsWithPlatform = append(debugSelectedPackageSpecsWithPlatform, fmt.Sprintf("spec %s on %s/%s", p.Spec.Name, p.OS, p.Arch))
+		}
+
+		log.Printf("Packaging for platforms %v, packages %v", platforms, debugSelectedPackageSpecsWithPlatform)
+	}
+
 	tasks := make(map[string][]interface{})
 	for _, target := range platforms {
 		for _, pkg := range Packages {
@@ -41,13 +50,19 @@ func Package() error {
 				continue
 			}
 
+			// Checks if this package is compatible with the FIPS settings
+			if pkg.Spec.FIPS != FIPSBuild {
+				log.Printf("Skipping %s/%s package type because FIPS flag doesn't match [pkg=%v, build=%v]", pkg.Spec.Name, pkg.OS, pkg.Spec.FIPS, FIPSBuild)
+				continue
+			}
+
 			for _, pkgType := range pkg.Types {
-				if !isPackageTypeSelected(pkgType) {
+				if !IsPackageTypeSelected(pkgType) {
 					log.Printf("Skipping %s package type because it is not selected", pkgType)
 					continue
 				}
 
-				if pkgType == Docker && !isDockerVariantSelected(pkg.Spec.DockerVariant) {
+				if pkgType == Docker && !IsDockerVariantSelected(pkg.Spec.DockerVariant) {
 					log.Printf("Skipping %s docker variant type because it is not selected", pkg.Spec.DockerVariant)
 					continue
 				}
@@ -80,7 +95,6 @@ func Package() error {
 				spec.OS = target.GOOS()
 				spec.Arch = packageArch
 				spec.Snapshot = Snapshot
-				spec.FIPS = FIPSBuild
 				spec.evalContext = map[string]interface{}{
 					"GOOS":          target.GOOS(),
 					"GOARCH":        target.GOARCH(),
@@ -100,6 +114,10 @@ func Package() error {
 
 				spec = spec.Evaluate()
 
+				if mg.Verbose() {
+					log.Printf("Adding task for packaging %s on %s/%s", spec.Name, target.GOOS(), target.Arch())
+				}
+
 				tasks[target.GOOS()+"-"+target.Arch()] = append(tasks[target.GOOS()+"-"+target.Arch()], packageBuilder{target, spec, pkgType}.Build)
 			}
 		}
@@ -112,9 +130,9 @@ func Package() error {
 	return nil
 }
 
-// isPackageTypeSelected returns true if SelectedPackageTypes is empty or if
+// IsPackageTypeSelected returns true if SelectedPackageTypes is empty or if
 // pkgType is present on SelectedPackageTypes. It returns false otherwise.
-func isPackageTypeSelected(pkgType PackageType) bool {
+func IsPackageTypeSelected(pkgType PackageType) bool {
 	if len(SelectedPackageTypes) == 0 {
 		return true
 	}
@@ -127,9 +145,9 @@ func isPackageTypeSelected(pkgType PackageType) bool {
 	return false
 }
 
-// isDockerVariantSelected returns true if SelectedDockerVariants is empty or if
+// IsDockerVariantSelected returns true if SelectedDockerVariants is empty or if
 // docVariant is present on SelectedDockerVariants. It returns false otherwise.
-func isDockerVariantSelected(docVariant DockerVariant) bool {
+func IsDockerVariantSelected(docVariant DockerVariant) bool {
 	if len(SelectedDockerVariants) == 0 {
 		return true
 	}
@@ -222,7 +240,7 @@ func TestPackages(options ...TestPackagesOption) error {
 		args = append(args, "-v")
 	}
 
-	args = append(args, MustExpand("{{ elastic_beats_dir }}/dev-tools/packaging/package_test.go"))
+	args = append(args, MustExpand("{{ elastic_beats_dir }}/dev-tools/packaging/testing/package_test.go"))
 
 	if params.HasModules {
 		args = append(args, "--modules")
@@ -248,10 +266,6 @@ func TestPackages(options ...TestPackagesOption) error {
 		args = append(args, "-root-owner")
 	}
 
-	if FIPSBuild {
-		args = append(args, "-fips")
-	}
-
 	args = append(args, "-files", MustExpand("{{.PWD}}/build/distributions/*"))
 
 	if out, err := goTest(args...); err != nil {
diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
index 01f27b57297..17682d68c09 100644
--- a/dev-tools/mage/pkgtypes.go
+++ b/dev-tools/mage/pkgtypes.go
@@ -28,6 +28,7 @@ import (
 	"gopkg.in/yaml.v3"
 
 	"github.com/elastic/elastic-agent/dev-tools/mage/pkgcommon"
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 )
 
 const (
@@ -39,13 +40,13 @@ const (
 	packageStagingDir = "build/package"
 
 	// defaultBinaryName specifies the output file for zip and tar.gz.
-	defaultBinaryName = "{{.Name}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}{{if .FIPS}}-fips{{end}}"
+	defaultBinaryName = "{{.Name}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}"
 
 	// defaultRootDir is the default name of the root directory contained inside of zip and
 	// tar.gz packages.
 	// NOTE: This uses .BeatName instead of .Name because we wanted the internal
 	// directory to not include "-oss".
-	defaultRootDir = "{{.BeatName}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}{{if .FIPS}}-fips{{end}}"
+	defaultRootDir = "{{.BeatName}}{{if .Qualifier}}-{{.Qualifier}}{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}"
 
 	componentConfigMode os.FileMode = 0600
 
@@ -105,6 +106,7 @@ type PackageSpec struct {
 	Qualifier         string                 `yaml:"qualifier,omitempty"`   // Optional
 	OutputFile        string                 `yaml:"output_file,omitempty"` // Optional
 	ExtraVars         map[string]string      `yaml:"extra_vars,omitempty"`  // Optional
+	Components        []packaging.BinarySpec `yaml:"components"`            // Optional: Components required for this package
 
 	evalContext            map[string]interface{}
 	packageDir             string
@@ -415,6 +417,7 @@ func (s PackageSpec) Evaluate(args ...map[string]interface{}) PackageSpec {
 		s.packageDir = filepath.Clean(mustExpand(s.packageDir))
 	}
 	s.evalContext["PackageDir"] = s.packageDir
+	s.evalContext["fips"] = s.FIPS
 
 	evaluatedFiles := make(map[string]PackageFile, len(s.Files))
 	for target, f := range s.Files {
diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
index b237ebe7900..c37813d40c2 100644
--- a/dev-tools/mage/settings.go
+++ b/dev-tools/mage/settings.go
@@ -336,7 +336,7 @@ func AgentPackageVersion() (string, error) {
 	return BeatQualifiedVersion()
 }
 
-func PackageManifest() (string, error) {
+func PackageManifest(fips bool) (string, error) {
 
 	packageVersion, err := AgentPackageVersion()
 	if err != nil {
@@ -353,14 +353,15 @@ func PackageManifest() (string, error) {
 		return "", fmt.Errorf("retrieving agent commit hash: %w", err)
 	}
 
-	return GeneratePackageManifest(BeatName, packageVersion, Snapshot, hash, commitHashShort)
+	return GeneratePackageManifest(BeatName, packageVersion, Snapshot, hash, commitHashShort, fips)
 }
 
-func GeneratePackageManifest(beatName, packageVersion string, snapshot bool, fullHash, shortHash string) (string, error) {
+func GeneratePackageManifest(beatName, packageVersion string, snapshot bool, fullHash, shortHash string, fips bool) (string, error) {
 	m := v1.NewManifest()
 	m.Package.Version = packageVersion
 	m.Package.Snapshot = snapshot
 	m.Package.Hash = fullHash
+	m.Package.Fips = fips
 
 	versionedHomePath := path.Join("data", fmt.Sprintf("%s-%s", beatName, shortHash))
 	m.Package.VersionedHome = versionedHomePath
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index 250f65b4972..d216fffa8ff 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -1,9 +1,218 @@
 ---
 
-# This file contains the package specifications for both Community Beats and
-# Official Beats. The shared section contains YAML anchors that are used to
+# This file contains the package specifications for Elastic Agent
+
+# List all the available platforms
+platforms: &all-platforms
+  - &linux-amd64
+    os: linux
+    arch: x86_64
+  - &linux-arm64
+    os: linux
+    arch: arm64
+  - &windows-amd64
+    os: windows
+    arch: x86_64
+  - &darwin-amd64
+    os: darwin
+    arch: x86_64
+  - &darwin-arm64
+    os: darwin
+    arch: aarch64
+
+# List all the package type constants (see dev-tools/mage/pkgcommon/pkgcommon-types.go)
+packageTypes: &all-package-types
+  - &pkg-type-rpm
+      1 # RPM
+  - &pkg-type-deb
+      2 # Deb
+  - &pkg-type-zip
+      3 # zip
+  - &pkg-type-targz
+      4 # tar.gz
+  - &pkg-type-docker
+      5 # docker
+
+# Settings section contains general compiling and packaging settings
+settings:
+  fips:
+    compile:
+      cgo: true
+      env:
+        GOEXPERIMENT: systemcrypto
+      tags:
+        - requirefips
+      platforms:
+        - *linux-amd64
+        - *linux-arm64
+
+# List *all* the components available for packaging in elastic-agent
+components:
+  # general template for new components (all attributes are mandatory)
+  #  - &comp-<anchor name>
+  #    projectName: <project name under manifest>
+  #    packageName: <template representing the name of the archive to download/extract>
+  #    binaryName: <binary name>
+  #    rootDir: <template representing directory from the archive root where the binary is located>
+  #    fips: <boolean indicating if this component is FIPS compliant>
+  #    platforms:
+  #      - <platform, use anchors for platforms above>
+  #    pythonWheel: true # true if it's a package that is not platform specific
+  #    packageTypes: *all-package-types # package types it should be included in
+  - &comp-agentbeat
+    projectName: beats
+    packageName: agentbeat-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: agentbeat-{{.Version}}-{{.Platform}}
+    binaryName: agentbeat
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-apm_server
+    projectName: apm-server
+    packageName: apm-server-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: apm-server-{{.Version}}-{{.Platform}}
+    binaryName: apm-server
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+      - *windows-amd64
+      - *darwin-amd64
+    packageTypes: *all-package-types
+  - &comp-cloudbeat
+    projectName: cloudbeat
+    packageName: cloudbeat-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: cloudbeat-{{.Version}}-{{.Platform}}
+    binaryName: cloudbeat
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-cloud-defend
+    projectName: cloud-defend
+    packageName: cloud-defend-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: cloud-defend-{{.Version}}-{{.Arch}}
+    binaryName: cloud-defend
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes:
+      - *pkg-type-docker
+  - &comp-connectors
+    projectName: connectors
+    packageName: connectors-{{.Version}}.zip
+    # FIXME: connectors use only <major>.<minor>.<patch> in the root directory name so the definition should be something
+    # using the beat_version or similar
+    # We don't support that yet, so we are defining a rootDir that will error out if rendered. This is not a problem since
+    # we don't extract/manipulate the archive during packaging, it has its own special handling in the 'service' docker image
+    rootDir: elasticsearch_connectors-{{beat_version}}
+    binaryName: connectors
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    pythonWheel: true
+    packageTypes: *all-package-types
+  - &comp-endpoint
+    projectName: endpoint-dev
+    packageName: endpoint-security-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: endpoint-security-{{.Version}}-{{.Platform}}
+    binaryName: endpoint-security
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-fleet-server
+    projectName: fleet-server
+    packageName: fleet-server-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: fleet-server-{{.Version}}-{{.Platform}}
+    binaryName: fleet-server
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-pf-elastic-collector
+    projectName: prodfiler
+    packageName: pf-elastic-collector-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: pf-elastic-collector-{{.Version}}-{{.Platform}}
+    binaryName: pf-elastic-collector
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-pf-elastic-symbolizer
+    projectName: prodfiler
+    packageName: pf-elastic-symbolizer-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: pf-elastic-symbolizer-{{.Version}}-{{.Platform}}
+    binaryName: pf-elastic-symbolizer
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-pf-host-agent
+    projectName: prodfiler
+    packageName: pf-host-agent-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: pf-host-agent-{{.Version}}-{{.Platform}}
+    binaryName: pf-host-agent
+    fips: false
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  # Elastic Agent core component, defined here because it's a dependency when packaging using elastic-agent DRA
+  - &comp-elastic-agent-core
+    projectName: elastic-agent-core
+    packageName: elastic-agent-core-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: elastic-agent-core-{{.Version}}-{{.Platform}}
+    binaryName: elastic-agent
+    fips: false
+    platforms: *all-platforms
+    packageTypes: *all-package-types
+  - &comp-agentbeat-fips
+    projectName: beats
+    packageName: agentbeat-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: agentbeat-{{.Version}}-{{.Platform}}
+    binaryName: agentbeat
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-apm_server-fips
+    projectName: apm-server
+    packageName: apm-server-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: apm-server-fips-{{.Version}}-{{.Platform}}
+    binaryName: apm-server
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  - &comp-fleet-server-fips
+    projectName: fleet-server
+    packageName: fleet-server-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: fleet-server-fips-{{.Version}}-{{.Platform}}
+    binaryName: fleet-server
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+  # Elastic Agent core component (FIPS-compliant version), defined here because it's a dependency when packaging using elastic-agent DRA
+  - &comp-elastic-agent-core-fips
+    projectName: elastic-agent-core
+    packageName: elastic-agent-core-fips-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: elastic-agent-core-{{.Version}}-{{.Platform}}
+    binaryName: elastic-agent
+    fips: true
+    platforms:
+      - *linux-amd64
+      - *linux-arm64
+    packageTypes: *all-package-types
+# The shared section contains YAML anchors that are used to
 # define common parts of the package in order to not repeat ourselves.
-
 shared:
   - &common
     name: '{{.BeatName}}'
@@ -16,7 +225,41 @@ shared:
     url: '{{.BeatURL}}'
     description: '{{.BeatDescription}}'
 
+  - &common_fips
+    name: '{{.BeatName}}-fips'
+    service_name: '{{.BeatServiceName}}'
+    os: '{{.GOOS}}'
+    arch: '{{.PackageArch}}'
+    vendor: '{{.BeatVendor}}'
+    version: '{{ agent_package_version }}'
+    fips: true
+    license: '{{.BeatLicense}}'
+    url: '{{.BeatURL}}'
+    description: '{{.BeatDescription}}'
+
   # agent specific
+
+  # components included in elastic-agent package specs defined before components support in this YAML
+  - &elastic_agent_components
+    components:
+      - *comp-agentbeat
+      - *comp-apm_server
+      - *comp-cloudbeat
+      - *comp-cloud-defend
+      - *comp-connectors
+      - *comp-endpoint
+      - *comp-fleet-server
+      - *comp-pf-elastic-collector
+      - *comp-pf-elastic-symbolizer
+      - *comp-pf-host-agent
+
+  # components included in FIPS-compliant elastic-agent package specs
+  - &elastic_agent_fips_components
+    components:
+      - *comp-agentbeat-fips
+      - *comp-apm_server-fips
+      - *comp-fleet-server-fips
+
   # Deb/RPM spec for community beats.
   - &deb_rpm_agent_spec
     <<: *common
@@ -79,7 +322,7 @@ shared:
       /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{agent_package_version}}{{snapshot_suffix}}-{{ commit_short }}/manifest.yaml:
         mode: 0644
         content: >
-          {{ manifest }}
+          {{ manifest .fips }}
 
   - &linux_otel_files
     'otelcol':
@@ -124,7 +367,7 @@ shared:
     'manifest.yaml':
       mode: 0644
       content: >
-        {{ manifest }}
+        {{ manifest .fips }}
 
   - &agent_binary_files
     '{{.BeatName}}{{.BinaryExt}}':
@@ -170,7 +413,7 @@ shared:
     <<: *agent_darwin_app_bundle_files
     <<: *agent_binary_common_files
 
-  - &agent_components
+  - &agent_unpacked_components_files
     'data/{{.BeatName}}-{{ commit_short }}/components':
       source: '{{.AgentDropPath}}/{{.GOOS}}-{{.AgentArchName}}.tar.gz/'
       mode: 0755
@@ -180,21 +423,30 @@ shared:
   # Binary package spec (tar.gz for linux) for community beats.
   - &agent_binary_spec
     <<: *common
+    <<: *elastic_agent_components
     files:
       <<: *agent_binary_files
-      <<: *agent_components
       <<: *linux_otel_files
+      <<: *agent_unpacked_components_files
 
+  - &agent_binary_fips_spec
+    <<: *common_fips
+    <<: *elastic_agent_fips_components
+    files:
+      <<: *agent_binary_files
+      <<: *agent_unpacked_components_files
 
   - &agent_darwin_binary_spec
     <<: *common
+    <<: *elastic_agent_components
     files:
       <<: *agent_darwin_binary_files
-      <<: *agent_components
+      <<: *agent_unpacked_components_files
 
   # Binary package spec (zip for windows) for community beats.
   - &agent_windows_binary_spec
     <<: *common
+    <<: *elastic_agent_components
     files:
       <<: *agent_binary_files
       'data/{{.BeatName}}-{{ commit_short }}/components':
@@ -244,11 +496,17 @@ shared:
     docker_variant: 'wolfi'
     extra_vars:
       from: '--platform=linux/amd64 cgr.dev/chainguard/wolfi-base'
+
   - &docker_wolfi_arm_spec
     docker_variant: 'wolfi'
     extra_vars:
       from: '--platform=linux/arm64 cgr.dev/chainguard/wolfi-base'
 
+  - &docker_fips_spec
+    docker_variant: 'basic'
+    extra_vars:
+      from: 'docker.elastic.co/wolfi/chainguard-base-fips:latest'
+
   - &docker_elastic_spec
     extra_vars:
       repository: 'docker.elastic.co/elastic-agent'
@@ -278,6 +536,27 @@ shared:
         source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
         mode: 0755
 
+  - &agent_docker_fips_spec
+    <<: *agent_binary_fips_spec
+    extra_vars:
+      dockerfile: 'Dockerfile.elastic-agent.tmpl'
+      docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
+      user: '{{ .BeatName }}'
+      linux_capabilities: ''
+      beats_install_path: "install"
+    files:
+      'elastic-agent.yml':
+        source: 'elastic-agent.docker.yml'
+        mode: 0600
+        config: true
+      '.elastic-agent.active.commit':
+        content: >
+          {{ commit }}
+        mode: 0644
+      'hints.inputs.d':
+        source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
+        mode: 0755
+
   # cloud build to beats-ci repository
   - &agent_docker_cloud_spec
     docker_variant: 'cloud'
@@ -294,6 +573,21 @@ shared:
         source: '{{.AgentDropPath}}/archives/{{.GOOS}}-{{.AgentArchName}}.tar.gz/agentbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz'
         mode: 0755
 
+  - &agent_docker_cloud_fips_spec
+    docker_variant: 'cloud'
+    extra_vars:
+      repository: 'docker.elastic.co/beats-ci'
+    files:
+      'data/cloud_downloads/filebeat.sh':
+        source: '{{ elastic_beats_dir }}/dev-tools/packaging/files/linux/filebeat.sh'
+        mode: 0755
+      'data/cloud_downloads/metricbeat.sh':
+        source: '{{ elastic_beats_dir }}/dev-tools/packaging/files/linux/metricbeat.sh'
+        mode: 0755
+      'data/cloud_downloads/agentbeat-fips-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz':
+        source: '{{.AgentDropPath}}/archives/{{.GOOS}}-{{.AgentArchName}}.tar.gz/agentbeat-fips-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz'
+        mode: 0755
+
   # service build is based on previous cloud variant
   - &agent_docker_service_spec
     docker_variant: 'service'
@@ -1108,6 +1402,71 @@ specs:
             symlink: true
             mode: 0755
 
+    ######## Start FIPS Specs ########
+    - os: linux
+      types: [tgz]
+      spec:
+        <<: *agent_binary_fips_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}
+            symlink: true
+            mode: 0755
+
+    - os: linux
+      arch: amd64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *docker_builder_spec
+        <<: *agent_docker_fips_spec
+        <<: *docker_elastic_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+    - os: linux
+      arch: arm64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *docker_builder_arm_spec
+        <<: *agent_docker_fips_spec
+        <<: *docker_elastic_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+    - os: linux
+      arch: amd64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *agent_docker_fips_spec
+        # The cloud image is always based on Wolfi
+        <<: *docker_builder_spec
+        <<: *agent_docker_cloud_fips_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+    - os: linux
+      arch: arm64
+      types: [ docker ]
+      spec:
+        <<: *docker_fips_spec
+        <<: *agent_docker_fips_spec
+        # The cloud image is always based on Wolfi
+        <<: *docker_builder_arm_spec
+        <<: *agent_docker_cloud_fips_spec
+        <<: *elastic_license_for_binaries
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+    ######## End FIPS Specs ########
 
   # Elastic Beat with Elastic License and binary taken from the x-pack dir.
   elastic_beat_agent_demo_binaries:
@@ -1156,6 +1515,7 @@ specs:
         <<: *common
         <<: *elastic_license_for_binaries
         version: '{{ beat_version }}'
+        # this is a way to place 'core' in the correct place for both the archive and the root dir, see defaultRootDir in dev-tools/mage/pkgtypes.go
         qualifier: core
         files:
           '{{.BeatName}}{{.BinaryExt}}':
@@ -1193,3 +1553,15 @@ specs:
         files:
           '{{.BeatName}}{{.BinaryExt}}':
             source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+
+    - os: linux
+      types: [tgz]
+      spec:
+        <<: *common_fips
+        <<: *elastic_license_for_binaries
+        name: '{{.BeatName}}'
+        version: '{{ beat_version }}'
+        qualifier: 'core-fips'
+        files:
+          '{{.BeatName}}{{.BinaryExt}}':
+            source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
diff --git a/dev-tools/packaging/settings.go b/dev-tools/packaging/settings.go
new file mode 100644
index 00000000000..a4691af5deb
--- /dev/null
+++ b/dev-tools/packaging/settings.go
@@ -0,0 +1,285 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package packaging
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+	"log"
+	"slices"
+	"text/template"
+
+	"github.com/magefile/mage/mg"
+	"gopkg.in/yaml.v3"
+
+	"github.com/elastic/elastic-agent/dev-tools/mage/pkgcommon"
+)
+
+var (
+	//go:embed packages.yml
+	packageSpecBytes []byte
+	platformPackages = map[string]platformAndExt{
+		"darwin/amd64": {
+			platform: "darwin-x86_64",
+			os:       "darwin",
+			arch:     "amd64",
+			ext:      "tar.gz",
+		},
+		"darwin/arm64": {
+			platform: "darwin-aarch64",
+			os:       "darwin",
+			arch:     "arm64",
+			ext:      "tar.gz",
+		},
+		"linux/amd64": {
+			platform: "linux-x86_64",
+			os:       "linux",
+			arch:     "amd64",
+			ext:      "tar.gz",
+		},
+		"linux/arm64": {
+			platform: "linux-arm64",
+			os:       "linux",
+			arch:     "arm64",
+			ext:      "tar.gz",
+		},
+		"windows/amd64": {
+			platform: "windows-x86_64",
+			os:       "windows",
+			arch:     "amd64",
+			ext:      "zip",
+		},
+	}
+	settings *packagesConfig
+)
+
+func init() {
+	packageSettings, err := parsePackageSettings(bytes.NewReader(packageSpecBytes))
+	if err != nil {
+		log.Printf("Error loading package settings: %v", err)
+		return
+	}
+
+	settings = packageSettings
+}
+
+type platformAndExt struct {
+	platform string
+	os       string
+	arch     string
+	ext      string
+}
+
+type BinarySpec struct {
+	BinaryName   string                  `yaml:"binaryName"`
+	PackageName  string                  `yaml:"packageName"`
+	RootDir      string                  `yaml:"rootDir"`
+	ProjectName  string                  `yaml:"projectName"`
+	FIPS         bool                    `yaml:"fips"`
+	Platforms    []Platform              `yaml:"platforms"`
+	PythonWheel  bool                    `yaml:"pythonWheel"`
+	PackageTypes []pkgcommon.PackageType `yaml:"packageTypes"`
+}
+
+func (proj BinarySpec) SupportsPlatform(platform string) bool {
+	for _, p := range proj.Platforms {
+		if p.Platform() == platform {
+			return true
+		}
+	}
+	return false
+}
+
+func (proj BinarySpec) SupportsPackageType(pkgType pkgcommon.PackageType) bool {
+	for _, p := range proj.PackageTypes {
+		if p == pkgType {
+			return true
+		}
+	}
+	return false
+}
+
+// GetPackageName will return a rendered version of the BinarySpec.packageName attribute (which is a golang template),
+// using version and platform strings provided to create a template context containing 'Version', 'Platform' and 'Ext' values.
+// The string returned will contain the expected filename of the package file for the BinarySpec
+func (proj BinarySpec) GetPackageName(version string, platform string) string {
+	tmpl, err := template.New("package_name").Parse(proj.PackageName)
+	if err != nil {
+		panic(fmt.Errorf("parsing packageName template for project/binary %s/%s %q: %w", proj.ProjectName, proj.BinaryName, proj.PackageName, err))
+	}
+
+	tmplContext := createTemplateContext(version, platform)
+
+	var buf bytes.Buffer
+	err = tmpl.Execute(&buf, tmplContext)
+	if err != nil {
+		panic(fmt.Errorf("rendering packageName template for project/binary %s/%s %q with context %v: %w",
+			proj.ProjectName, proj.BinaryName, proj.PackageName, tmplContext, err))
+	}
+	return buf.String()
+}
+
+func createTemplateContext(version string, platform string) map[string]string {
+	// look for the platform strings, if not found an empty object is returned and empty values will be used for rendering
+	pltfStrings := platformPackages[platform]
+	tmplContext := map[string]string{"Version": version, "Platform": pltfStrings.platform, "Ext": pltfStrings.ext, "OS": pltfStrings.os, "Arch": pltfStrings.arch}
+	return tmplContext
+}
+
+// GetRootDir will return a rendered version of the BinarySpec.rootDir attribute (which is a golang template), using
+// version and platform strings provided to create a template context containing 'Version', 'Platform' and 'Ext' values.
+// The string returned will contain the expected name of the root directory created when extracted the package file for
+// the BinarySpec
+func (proj BinarySpec) GetRootDir(version string, platform string) string {
+	if proj.RootDir == "" {
+		// shortcut to avoid rendering template when there's no RootDir specified
+		return ""
+	}
+	tmpl, err := template.New("rootDir").Parse(proj.RootDir)
+	if err != nil {
+		panic(fmt.Errorf("parsing rootDir template for project/binary %s/%s %q: %w", proj.ProjectName, proj.BinaryName, proj.RootDir, err))
+	}
+
+	tmplContext := createTemplateContext(version, platform)
+
+	var buf bytes.Buffer
+	err = tmpl.Execute(&buf, tmplContext)
+	if err != nil {
+		panic(fmt.Errorf("rendering rootDir template for project/binary %s/%s %q with context %v: %w",
+			proj.ProjectName, proj.BinaryName, proj.PackageName, tmplContext, err))
+	}
+	return buf.String()
+}
+
+func (proj BinarySpec) Equal(other BinarySpec) bool {
+	if proj.BinaryName != other.BinaryName {
+		return false
+	}
+
+	if proj.PackageName != other.PackageName {
+		return false
+	}
+
+	if proj.RootDir != other.RootDir {
+		return false
+	}
+
+	if proj.ProjectName != other.ProjectName {
+		return false
+	}
+
+	if proj.FIPS != other.FIPS {
+		return false
+	}
+
+	if !slices.Equal(proj.Platforms, other.Platforms) {
+		return false
+	}
+
+	if proj.PythonWheel != other.PythonWheel {
+		return false
+	}
+
+	if !slices.Equal(proj.PackageTypes, other.PackageTypes) {
+		return false
+	}
+
+	return true
+}
+
+type Platform struct {
+	OS   string
+	Arch string
+}
+
+// Converts to the format expected on the mage command line "linux", "x86_64" = "linux/amd64"
+func (p Platform) Platform() string {
+	switch p.Arch {
+	case "x86_64":
+		p.Arch = "amd64"
+	case "aarch64":
+		p.Arch = "arm64"
+	}
+	return p.OS + "/" + p.Arch
+}
+
+type FIPSConfig struct {
+	Compile struct {
+		CGO       bool              `yaml:"cgo"`
+		Env       map[string]string `yaml:"env"`
+		Tags      []string          `yaml:"tags"`
+		Platforms []Platform        `yaml:"platforms"`
+	} `yaml:"compile"`
+}
+
+type GlobalSettings struct {
+	FIPS FIPSConfig `yaml:"fips"`
+}
+
+type packagesConfig struct {
+	Platforms    []Platform              `yaml:"platforms"`
+	PackageTypes []pkgcommon.PackageType `yaml:"packageTypes"`
+	Components   []BinarySpec            `yaml:"components"`
+	Settings     GlobalSettings          `yaml:"settings"`
+}
+
+func parsePackageSettings(r io.Reader) (*packagesConfig, error) {
+	packagesConf := new(packagesConfig)
+	err := yaml.NewDecoder(r).Decode(packagesConf)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling package spec yaml: %w", err)
+	}
+
+	if mg.Verbose() {
+		log.Printf("Read packages config: %+v", packagesConf)
+	}
+	return packagesConf, nil
+}
+
+// Components returns a *copy* of all the binary specs loaded from packages.yml
+func Components() ([]BinarySpec, error) {
+	if settings == nil {
+		return nil, fmt.Errorf("package settings not loaded")
+	}
+	ret := make([]BinarySpec, len(settings.Components))
+	copy(ret, settings.Components)
+	return ret, nil
+}
+
+func Settings() GlobalSettings {
+	return settings.Settings
+}
+
+func FilterComponents(filters ...ComponentFilter) []BinarySpec {
+	ret := make([]BinarySpec, 0, len(settings.Components))
+
+COMPLOOP:
+	for _, c := range settings.Components {
+		for _, filter := range filters {
+			if !filter(c) {
+				// this filter doesn't match, move to the next component
+				continue COMPLOOP
+			}
+		}
+		ret = append(ret, c)
+	}
+	return ret
+}
+
+type ComponentFilter func(BinarySpec) bool
+
+func WithProjectName(projectName string) ComponentFilter {
+	return func(p BinarySpec) bool {
+		return p.ProjectName == projectName
+	}
+}
+
+func WithFIPS(fips bool) ComponentFilter {
+	return func(p BinarySpec) bool {
+		return p.FIPS == fips
+	}
+}
diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/testing/package_test.go
similarity index 83%
rename from dev-tools/packaging/package_test.go
rename to dev-tools/packaging/testing/package_test.go
index 0f0f03ba9bf..d885f4f2e89 100644
--- a/dev-tools/packaging/package_test.go
+++ b/dev-tools/packaging/testing/package_test.go
@@ -2,7 +2,7 @@
 // or more contributor license agreements. Licensed under the Elastic License 2.0;
 // you may not use this file except in compliance with the Elastic License 2.0.
 
-package packaging
+package testing
 
 // This file contains tests that can be run on the generated packages.
 // To run these tests use `go test package_test.go`.
@@ -24,7 +24,6 @@ import (
 	"hash"
 	"io"
 	"os"
-	"path"
 	"path/filepath"
 	"regexp"
 	"slices"
@@ -65,20 +64,21 @@ var (
 )
 
 var (
-	files             = flag.String("files", "../build/distributions/*/*", "filepath glob containing package files")
+	files             = flag.String("files", "../build/distributions/*", "filepath glob containing package files")
 	modules           = flag.Bool("modules", false, "check modules folder contents")
 	minModules        = flag.Int("min-modules", 4, "minimum number of modules to expect in modules folder")
 	modulesd          = flag.Bool("modules.d", false, "check modules.d folder contents")
 	monitorsd         = flag.Bool("monitors.d", false, "check monitors.d folder contents")
 	rootOwner         = flag.Bool("root-owner", false, "expect root to own package files")
 	rootUserContainer = flag.Bool("root-user-container", false, "expect root in container user")
-	fips              = flag.Bool("fips", false, "check agent binary for FIPS compliance")
 )
 
 func TestRPM(t *testing.T) {
 	rpms := getFiles(t, regexp.MustCompile(`\.rpm$`))
 	for _, rpm := range rpms {
-		checkRPM(t, rpm)
+		t.Run(filepath.Base(rpm), func(t *testing.T) {
+			checkRPM(t, rpm)
+		})
 	}
 }
 
@@ -86,38 +86,41 @@ func TestDeb(t *testing.T) {
 	debs := getFiles(t, regexp.MustCompile(`\.deb$`))
 	buf := new(bytes.Buffer)
 	for _, deb := range debs {
-		checkDeb(t, deb, buf)
+		t.Run(filepath.Base(deb), func(t *testing.T) {
+			checkDeb(t, deb, buf)
+		})
 	}
 }
 
 func TestTar(t *testing.T) {
 	// Regexp matches *-arch.tar.gz, but not *-arch.docker.tar.gz
-	tars := getFiles(t, regexp.MustCompile(`-\w+\.tar\.gz$`))
-	for _, tar := range tars {
-		checkTar(t, tar, false)
-	}
-}
+	tarFiles := getFiles(t, regexp.MustCompile(`-\w+\.tar\.gz$`))
+	for _, tarFile := range tarFiles {
+		t.Run(filepath.Base(tarFile), func(t *testing.T) {
+			fipsPackage := strings.Contains(tarFile, "-fips-")
+			checkTar(t, tarFile, fipsPackage)
+		})
 
-func TestFIPSTar(t *testing.T) {
-	// Regexp matches *-arch-fips.tar.gz, but not *-arch.docker.tar.gz
-	tars := getFiles(t, regexp.MustCompile(`-\w+-fips\.tar\.gz$`))
-	for _, tar := range tars {
-		checkTar(t, tar, *fips)
 	}
 }
 
 func TestZip(t *testing.T) {
 	zips := getFiles(t, regexp.MustCompile(`^\w+\S+.zip$`))
 	for _, zip := range zips {
-		checkZip(t, zip)
+		t.Run(filepath.Base(zip), func(t *testing.T) {
+			checkZip(t, zip)
+		})
 	}
 }
 
 func TestDocker(t *testing.T) {
 	dockers := getFiles(t, regexp.MustCompile(`\.docker\.tar\.gz$`))
 	for _, docker := range dockers {
-		t.Log(docker)
-		checkDocker(t, docker)
+		fipsPackage := strings.Contains(docker, "-fips-")
+		t.Run(filepath.Base(docker), func(t *testing.T) {
+			t.Log(docker)
+			checkDocker(t, docker, fipsPackage)
+		})
 	}
 }
 
@@ -181,18 +184,20 @@ func checkTar(t *testing.T, file string, fipsCheck bool) {
 	checkModulesOwner(t, p, true)
 	checkLicensesPresent(t, "", p)
 
-	t.Run(p.Name+"_check_manifest_file", func(t *testing.T) {
-		tempExtractionPath := t.TempDir()
-		err = mage.Extract(file, tempExtractionPath)
-		require.NoError(t, err, "error extracting tar archive")
-		containingDir := strings.TrimSuffix(path.Base(file), ".tar.gz")
-		checkManifestFileContents(t, filepath.Join(tempExtractionPath, containingDir))
-		if fipsCheck {
-			checkFIPS(t, filepath.Join(tempExtractionPath, containingDir))
-		}
-	})
+	// extract archive in a temporary directory
+	tempExtractionPath := t.TempDir()
+	err = mage.Extract(file, tempExtractionPath)
+	require.NoErrorf(t, err, "error extracting archive %q", file)
+
+	t.Run("check_manifest_file", testManifestFile(tempExtractionPath, fipsCheck))
 
 	checkSha512PackageHash(t, file)
+
+	if fipsCheck {
+		t.Run("FIPS check", func(t *testing.T) {
+			checkFIPS(t, tempExtractionPath)
+		})
+	}
 }
 
 func checkZip(t *testing.T, file string) {
@@ -209,17 +214,26 @@ func checkZip(t *testing.T, file string) {
 	checkModulesPermissions(t, p)
 	checkLicensesPresent(t, "", p)
 
-	t.Run(p.Name+"_check_manifest_file", func(t *testing.T) {
-		tempExtractionPath := t.TempDir()
-		err = mage.Extract(file, tempExtractionPath)
-		require.NoError(t, err, "error extracting zip archive")
-		containingDir := strings.TrimSuffix(path.Base(file), ".zip")
-		checkManifestFileContents(t, filepath.Join(tempExtractionPath, containingDir))
-	})
+	// extract archive in a temporary directory
+	tempExtractionPath := t.TempDir()
+	err = mage.Extract(file, tempExtractionPath)
+	require.NoErrorf(t, err, "error extracting archive %q", file)
+
+	t.Run("check_manifest_file", testManifestFile(tempExtractionPath, false))
 
 	checkSha512PackageHash(t, file)
 }
 
+func testManifestFile(agentPackageRootDir string, checkFips bool) func(t *testing.T) {
+	return func(t *testing.T) {
+		dirEntries, err := os.ReadDir(agentPackageRootDir)
+		require.NoErrorf(t, err, "error listing extraction dir %q", agentPackageRootDir)
+		require.Lenf(t, dirEntries, 1, "archive should contain a single directory: found %v", dirEntries)
+		containingDir := dirEntries[0].Name()
+		checkManifestFileContents(t, filepath.Join(agentPackageRootDir, containingDir))
+	}
+}
+
 func checkManifestFileContents(t *testing.T, extractedPackageDir string) {
 	t.Log("Checking file manifest.yaml")
 	m := parseManifest(t, extractedPackageDir)
@@ -247,7 +261,7 @@ func checkManifestFileContents(t *testing.T, extractedPackageDir string) {
 func parseManifest(t *testing.T, dir string) v1.PackageManifest {
 	manifestReadCloser, err := os.Open(filepath.Join(dir, v1.ManifestFileName))
 	if err != nil {
-		t.Errorf("opening manifest %s : %v", v1.ManifestFileName, err)
+		t.Fatalf("opening manifest %s : %v", v1.ManifestFileName, err)
 	}
 	defer func(closer io.ReadCloser) {
 		err := closer.Close()
@@ -256,7 +270,7 @@ func parseManifest(t *testing.T, dir string) v1.PackageManifest {
 
 	m, err := v1.ParseManifest(manifestReadCloser)
 	if err != nil {
-		t.Errorf("unmarshaling package manifest: %v", err)
+		t.Fatalf("unmarshaling package manifest: %v", err)
 	}
 	return *m
 }
@@ -302,7 +316,7 @@ func checkNpcapNotices(pkg, file string, contents io.Reader) error {
 	return nil
 }
 
-func checkDocker(t *testing.T, file string) {
+func checkDocker(t *testing.T, file string, fipsPackage bool) {
 	p, info, err := readDocker(file)
 	if err != nil {
 		t.Errorf("error reading file %v: %v", file, err)
@@ -313,7 +327,10 @@ func checkDocker(t *testing.T, file string) {
 	checkDockerLabels(t, p, info, file)
 	checkDockerUser(t, p, info, *rootUserContainer)
 	checkFilePermissions(t, p, configFilePattern, os.FileMode(0644))
-	checkFilePermissions(t, p, otelcolScriptPattern, os.FileMode(0755))
+	if !fipsPackage {
+		// FIPS docker image do not contain an otelcol script, run this check only on non FIPS compliant images
+		checkFilePermissions(t, p, otelcolScriptPattern, os.FileMode(0755))
+	}
 	checkManifestPermissionsWithMode(t, p, os.FileMode(0644))
 	checkModulesPresent(t, "", p)
 	checkModulesDPresent(t, "", p)
@@ -327,7 +344,7 @@ func checkConfigPermissions(t *testing.T, p *packageFile) {
 }
 
 func checkFilePermissions(t *testing.T, p *packageFile, configPattern *regexp.Regexp, expectedMode os.FileMode) {
-	t.Run(p.Name+" file permissions", func(t *testing.T) {
+	t.Run("file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if configPattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -356,7 +373,7 @@ func checkOwner(t *testing.T, entry packageEntry, expectRoot bool) {
 }
 
 func checkConfigOwner(t *testing.T, p *packageFile, expectRoot bool) {
-	t.Run(p.Name+" config file owner", func(t *testing.T) {
+	t.Run("config file owner", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if configFilePattern.MatchString(entry.File) {
 				checkOwner(t, entry, expectRoot)
@@ -373,7 +390,7 @@ func checkManifestPermissions(t *testing.T, p *packageFile) {
 }
 
 func checkManifestPermissionsWithMode(t *testing.T, p *packageFile, expectedMode os.FileMode) {
-	t.Run(p.Name+" manifest file permissions", func(t *testing.T) {
+	t.Run("manifest file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if manifestFilePattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -388,7 +405,7 @@ func checkManifestPermissionsWithMode(t *testing.T, p *packageFile, expectedMode
 
 // Verify that the manifest owner is correct.
 func checkManifestOwner(t *testing.T, p *packageFile, expectRoot bool) {
-	t.Run(p.Name+" manifest file owner", func(t *testing.T) {
+	t.Run("manifest file owner", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if manifestFilePattern.MatchString(entry.File) {
 				checkOwner(t, entry, expectRoot)
@@ -399,7 +416,7 @@ func checkManifestOwner(t *testing.T, p *packageFile, expectRoot bool) {
 
 // Verify the permissions of the modules.d dir and its contents.
 func checkModulesPermissions(t *testing.T, p *packageFile) {
-	t.Run(p.Name+" modules.d file permissions", func(t *testing.T) {
+	t.Run("modules.d file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if modulesDFilePattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -420,7 +437,7 @@ func checkModulesPermissions(t *testing.T, p *packageFile) {
 
 // Verify the owner of the modules.d dir and its contents.
 func checkModulesOwner(t *testing.T, p *packageFile, expectRoot bool) {
-	t.Run(p.Name+" modules.d file owner", func(t *testing.T) {
+	t.Run("modules.d file owner", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if modulesDFilePattern.MatchString(entry.File) || modulesDDirPattern.MatchString(entry.File) {
 				checkOwner(t, entry, expectRoot)
@@ -433,7 +450,7 @@ func checkModulesOwner(t *testing.T, p *packageFile, expectRoot bool) {
 // executable.
 func checkSystemdUnitPermissions(t *testing.T, p *packageFile) {
 	const expectedMode = os.FileMode(0644)
-	t.Run(p.Name+" systemd unit file permissions", func(t *testing.T) {
+	t.Run("systemd unit file permissions", func(t *testing.T) {
 		for _, entry := range p.Contents {
 			if systemdUnitFilePattern.MatchString(entry.File) {
 				mode := entry.Mode.Perm()
@@ -469,7 +486,7 @@ func checkMonitorsDPresent(t *testing.T, prefix string, p *packageFile) {
 }
 
 func checkHintsInputsD(t *testing.T, name string, r *regexp.Regexp, p *packageFile) {
-	t.Run(fmt.Sprintf("%s %s contents", p.Name, name), func(t *testing.T) {
+	t.Run(fmt.Sprintf("%s contents", name), func(t *testing.T) {
 		total := 0
 		for _, entry := range p.Contents {
 			if r.MatchString(entry.File) {
@@ -536,7 +553,7 @@ func checkLicensesPresent(t *testing.T, prefix string, p *packageFile) {
 func checkDockerEntryPoint(t *testing.T, p *packageFile, info *dockerInfo) {
 	expectedMode := os.FileMode(0755)
 
-	t.Run(fmt.Sprintf("%s entrypoint", p.Name), func(t *testing.T) {
+	t.Run("entrypoint", func(t *testing.T) {
 		if len(info.Config.Entrypoint) == 0 {
 			t.Fatal("no entrypoint")
 		}
@@ -563,7 +580,7 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri
 		return
 	}
 
-	t.Run(fmt.Sprintf("%s license labels", p.Name), func(t *testing.T) {
+	t.Run("license labels", func(t *testing.T) {
 		expectedLicense := "Elastic License"
 		ossPrefix := strings.Join([]string{
 			info.Config.Labels["org.label-schema.name"],
@@ -584,7 +601,7 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri
 		}
 	})
 
-	t.Run(fmt.Sprintf("%s required labels", p.Name), func(t *testing.T) {
+	t.Run("required labels", func(t *testing.T) {
 		// From https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/program-on-boarding/technical-prerequisites
 		requiredLabels := []string{"name", "vendor", "version", "release", "summary", "description"}
 		for _, label := range requiredLabels {
@@ -596,60 +613,85 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri
 }
 
 func checkDockerUser(t *testing.T, p *packageFile, info *dockerInfo, expectRoot bool) {
-	t.Run(fmt.Sprintf("%s user", p.Name), func(t *testing.T) {
+	t.Run("user", func(t *testing.T) {
 		if expectRoot != (info.Config.User == rootUser) {
 			t.Errorf("unexpected docker user: %s", info.Config.User)
 		}
 	})
 }
 
-func checkFIPS(t *testing.T, extractedPackageDir string) {
+func checkFIPS(t *testing.T, agentPackageRootDir string) {
+	dirEntries, err := os.ReadDir(agentPackageRootDir)
+	require.NoErrorf(t, err, "error listing extraction dir %q", agentPackageRootDir)
+	require.Lenf(t, dirEntries, 1, "archive should contain a single directory: found %v", dirEntries)
+
+	extractedPackageDir := filepath.Join(agentPackageRootDir, dirEntries[0].Name())
 	t.Logf("Checking agent binary in %q for FIPS compliance", extractedPackageDir)
 	m := parseManifest(t, extractedPackageDir)
 	versionedHome := m.Package.VersionedHome
-	require.DirExistsf(t, filepath.Join(extractedPackageDir, versionedHome), " versiondedHome directory %q not found in %q", versionedHome, extractedPackageDir)
+	versionedHomePath := filepath.Join(extractedPackageDir, versionedHome)
+	require.DirExistsf(t, versionedHomePath, " versiondedHome directory %q not found in %q", versionedHome, extractedPackageDir)
 	binaryPath := filepath.Join(extractedPackageDir, versionedHome, "elastic-agent") // TODO eventually we will need to support .exe as well
 	require.FileExistsf(t, binaryPath, "Unable to find elastic-agent executable in versioned home in %q", extractedPackageDir)
 
-	info, err := buildinfo.ReadFile(binaryPath)
+	binaries := []string{binaryPath}
+	componentsDir := filepath.Join(versionedHomePath, "components")
+	entries, err := filepath.Glob(filepath.Join(componentsDir, "*.spec.yml"))
 	require.NoError(t, err)
-
-	foundTags := false
-	foundExperiment := false
-	for _, setting := range info.Settings {
-		switch setting.Key {
-		case "-tags":
-			foundTags = true
-			require.Contains(t, setting.Value, "requirefips")
-			continue
-		case "GOEXPERIMENT":
-			foundExperiment = true
-			require.Contains(t, setting.Value, "systemcrypto")
-			continue
-		}
+	for _, dirEntry := range entries {
+		componentBinary := strings.TrimSuffix(dirEntry, ".spec.yml")
+		binaries = append(binaries, componentBinary)
 	}
 
-	require.True(t, foundTags, "Did not find -tags within binary version information")
-	require.True(t, foundExperiment, "Did not find GOEXPERIMENT within binary version information")
+	for _, binary := range binaries {
+		binaryRelPath, err := filepath.Rel(agentPackageRootDir, binary)
+		require.NoError(t, err)
+		t.Run(binaryRelPath, func(t *testing.T) {
+			fileInfo, err := os.Stat(binary)
+			require.NoErrorf(t, err, "error collecting info on component %s", binary)
+			require.Truef(t, fileInfo.Mode().IsRegular() && (fileInfo.Mode().Perm()&0111 > 0), "component %s exists and has a spec file but it's not an executable regular file", binary)
+
+			info, err := buildinfo.ReadFile(binary)
+			require.NoError(t, err)
+
+			foundTags := false
+			foundExperiment := false
+			for _, setting := range info.Settings {
+				switch setting.Key {
+				case "-tags":
+					foundTags = true
+					require.Contains(t, setting.Value, "requirefips")
+					continue
+				case "GOEXPERIMENT":
+					foundExperiment = true
+					require.Contains(t, setting.Value, "systemcrypto")
+					continue
+				}
+			}
 
-	// TODO only elf is supported at the moment, in the future we will need to use macho (darwin) and pe (windows)
-	f, err := elf.Open(binaryPath)
-	require.NoError(t, err, "unable to open ELF file")
+			require.True(t, foundTags, "Did not find -tags within binary version information")
+			require.True(t, foundExperiment, "Did not find GOEXPERIMENT within binary version information")
 
-	symbols, err := f.Symbols()
-	if err != nil {
-		t.Logf("no symbols present in %q: %v", binaryPath, err)
-		return
-	}
+			// TODO only elf is supported at the moment, in the future we will need to use macho (darwin) and pe (windows)
+			f, err := elf.Open(binary)
+			require.NoError(t, err, "unable to open ELF file")
 
-	hasOpenSSL := false
-	for _, symbol := range symbols {
-		if strings.Contains(symbol.Name, "OpenSSL_version") {
-			hasOpenSSL = true
-			break
-		}
+			symbols, err := f.Symbols()
+			if err != nil {
+				t.Logf("no symbols present in %q: %v", binary, err)
+				return
+			}
+
+			hasOpenSSL := false
+			for _, symbol := range symbols {
+				if strings.Contains(symbol.Name, "OpenSSL_version") {
+					hasOpenSSL = true
+					break
+				}
+			}
+			require.True(t, hasOpenSSL, "unable to find OpenSSL_version symbol")
+		})
 	}
-	require.True(t, hasOpenSSL, "unable to find OpenSSL_version symbol")
 }
 
 // ensureNoBuildIDLinks checks for regressions related to
diff --git a/magefile.go b/magefile.go
index 4bd63db50d2..adac96d18e2 100644
--- a/magefile.go
+++ b/magefile.go
@@ -42,6 +42,7 @@ import (
 	"github.com/elastic/elastic-agent/dev-tools/mage/downloads"
 	"github.com/elastic/elastic-agent/dev-tools/mage/manifest"
 	"github.com/elastic/elastic-agent/dev-tools/mage/pkgcommon"
+	"github.com/elastic/elastic-agent/dev-tools/packaging"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/upgrade/artifact/download"
 	"github.com/elastic/elastic-agent/pkg/testing/buildkite"
 	tcommon "github.com/elastic/elastic-agent/pkg/testing/common"
@@ -96,8 +97,9 @@ const (
 
 	cloudImageTmpl = "docker.elastic.co/observability-ci/elastic-agent:%s"
 
-	baseURLForStagingDRA = "https://staging.elastic.co/"
-	agentCoreProjectName = "elastic-agent-core"
+	baseURLForSnapshotDRA = "https://snapshots.elastic.co/"
+	baseURLForStagingDRA  = "https://staging.elastic.co/"
+	agentCoreProjectName  = "elastic-agent-core"
 
 	helmChartPath      = "./deploy/helm/elastic-agent"
 	helmOtelChartPath  = "./deploy/helm/edot-collector/kube-stack"
@@ -575,6 +577,9 @@ func Package(ctx context.Context) error {
 		dependenciesVersion = beatVersion
 	}
 
+	// add the snapshot suffix if needed
+	dependenciesVersion += devtools.SnapshotSuffix()
+
 	packageAgent(ctx, platforms, dependenciesVersion, manifestResponse, mg.F(devtools.UseElasticAgentPackaging), mg.F(CrossBuild), devtools.SelectedPackageTypes)
 	return nil
 }
@@ -600,7 +605,16 @@ func DownloadManifest(ctx context.Context) error {
 		return errAtLeastOnePlatform
 	}
 
-	if e := manifest.DownloadComponents(ctx, devtools.ManifestURL, platforms, dropPath); e != nil {
+	// Enforce that we use the correct elastic-agent packaging, to correctly load component dependencies
+	// Use mg.Deps() to ensure that the function will be called only once per mage invocation.
+	// devtools.Use*Packaging functions are not idempotent as they append in devtools.Packages
+	mg.Deps(devtools.UseElasticAgentPackaging)
+	dependencies, err := ExtractComponentsFromSelectedPkgSpecs(devtools.Packages)
+	if err != nil {
+		return fmt.Errorf("failed extracting dependencies: %w", err)
+	}
+
+	if e := manifest.DownloadComponents(ctx, dependencies, devtools.ManifestURL, platforms, dropPath); e != nil {
 		return fmt.Errorf("failed to download the manifest file, %w", e)
 	}
 	log.Printf(">> Completed downloading packages from manifest into drop-in %s", dropPath)
@@ -608,6 +622,83 @@ func DownloadManifest(ctx context.Context) error {
 	return nil
 }
 
+func ExtractComponentsFromSelectedPkgSpecs(pkgSpecs []devtools.OSPackageArgs) ([]packaging.BinarySpec, error) {
+	// Extract the dependencies from the selected packages
+	mappedDependencies := map[string]packaging.BinarySpec{}
+	for _, pkg := range pkgSpecs {
+		if isSelected(pkg) {
+			if mg.Verbose() {
+				log.Printf("package %s is selected, collecting dependencies", pkg.Spec.Name)
+			}
+
+			for _, component := range pkg.Spec.Components {
+
+				if existingComp, ok := mappedDependencies[component.PackageName]; ok {
+					// sanity check: verify that for the same packageName we have the same component spec
+					if !existingComp.Equal(component) {
+						return nil, fmt.Errorf("found component %+v and %+v sharing the same package name %q but they are not equal",
+							existingComp, component, component.PackageName)
+					}
+				} else {
+					mappedDependencies[component.PackageName] = component
+					if mg.Verbose() {
+						log.Printf("Added component %s to the list of component to download from manifest", component.PackageName)
+					}
+				}
+			}
+		}
+	}
+
+	// collect the dependencies into a slice
+	dependencies := make([]packaging.BinarySpec, 0, len(mappedDependencies))
+	for _, pkg := range mappedDependencies {
+		dependencies = append(dependencies, pkg)
+	}
+
+	return dependencies, nil
+}
+
+func isSelected(pkg devtools.OSPackageArgs) bool {
+
+	// Checks if this package is compatible with the FIPS settings
+	if pkg.Spec.FIPS != devtools.FIPSBuild {
+		log.Printf("Skipping %s/%s package type because FIPS flag doesn't match [pkg=%v, build=%v]", pkg.Spec.Name, pkg.OS, pkg.Spec.FIPS, devtools.FIPSBuild)
+		return false
+	}
+
+	platforms := devtools.Platforms
+	for _, platform := range platforms {
+		if !isPackageSelectedForPlatform(pkg, platform) {
+			continue
+		}
+
+		pkgTypesSelected := 0
+		for _, pkgType := range pkg.Types {
+			if !devtools.IsPackageTypeSelected(pkgType) {
+				log.Printf("Skipping %s package type because it is not selected", pkgType)
+				continue
+			}
+
+			if pkgType == devtools.Docker && !devtools.IsDockerVariantSelected(pkg.Spec.DockerVariant) {
+				log.Printf("Skipping %s docker variant type because it is not selected", pkg.Spec.DockerVariant)
+				continue
+			}
+			pkgTypesSelected++
+		}
+		// if we found at least one package type for one platform the package spec is selected
+		return pkgTypesSelected > 0
+	}
+	return true
+}
+
+func isPackageSelectedForPlatform(pkg devtools.OSPackageArgs, platform devtools.BuildPlatform) bool {
+	if pkg.OS == platform.GOOS() && (pkg.Arch == "" || pkg.Arch == platform.Arch()) {
+		return true
+	}
+
+	return false
+}
+
 // FixDRADockerArtifacts is a workaround for the DRA artifacts produced by the package target. We had to do
 // because the initial unified release manager DSL code required specific names that the package does not produce,
 // we wanted to keep backwards compatibility with the artifacts of the unified release and the DRA.
@@ -657,8 +748,9 @@ func FixDRADockerArtifacts() error {
 	return nil
 }
 
-func requiredPackagesPresent(basePath, beat, version string, requiredPackages []string) bool {
-	for _, pkg := range requiredPackages {
+func requiredPackagesPresent(basePath, beat, version string, platforms []string) bool {
+	for _, pltf := range platforms {
+		pkg := manifest.PlatformPackages[pltf]
 		packageName := fmt.Sprintf("%s-%s-%s", beat, version, pkg)
 		path := filepath.Join(basePath, "build", "distributions", packageName)
 
@@ -1029,16 +1121,24 @@ func runAgent(ctx context.Context, env map[string]string) error {
 func packageAgent(ctx context.Context, platforms []string, dependenciesVersion string, manifestResponse *manifest.Build, agentPackaging, agentBinaryTarget mg.Fn, packageTypes []mage.PackageType) error {
 	fmt.Println("--- Package Elastic-Agent")
 
-	platformPackageSuffixes := []string{}
-	for _, p := range platforms {
-		platformPackageSuffixes = append(platformPackageSuffixes, manifest.PlatformPackages[p])
+	if mg.Verbose() {
+		log.Printf("--- Packaging dependenciesVersion[%s], %+v \n", dependenciesVersion, platforms)
+	}
+
+	log.Println("--- Running packaging function")
+	mg.Deps(agentPackaging)
+
+	dependencies, err := ExtractComponentsFromSelectedPkgSpecs(devtools.Packages)
+	if err != nil {
+		return fmt.Errorf("failed extracting dependencies: %w", err)
 	}
+
 	if mg.Verbose() {
-		log.Printf("--- Packaging dependenciesVersion[%s], %+v \n", dependenciesVersion, platformPackageSuffixes)
+		log.Printf("dependencies extracted from package specs: %v", dependencies)
 	}
 
 	// download/copy all the necessary dependencies for packaging elastic-agent
-	archivePath, dropPath := collectPackageDependencies(platforms, dependenciesVersion, platformPackageSuffixes, packageTypes)
+	archivePath, dropPath := collectPackageDependencies(platforms, dependenciesVersion, packageTypes, dependencies)
 
 	// cleanup after build
 	defer os.RemoveAll(archivePath)
@@ -1054,12 +1154,9 @@ func packageAgent(ctx context.Context, platforms []string, dependenciesVersion s
 	defer os.RemoveAll(flatPath)
 
 	// extract all dependencies from their archives into flat dir
-	flattenDependencies(platformPackageSuffixes, dependenciesVersion, archivePath, dropPath, flatPath, manifestResponse)
+	flattenDependencies(platforms, dependenciesVersion, archivePath, dropPath, flatPath, manifestResponse, dependencies)
 
 	// package agent
-	log.Println("--- Running packaging function")
-	mg.Deps(agentPackaging)
-
 	log.Println("--- Running post packaging ")
 	mg.Deps(Update)
 	mg.Deps(agentBinaryTarget, CrossBuildGoDaemon)
@@ -1078,7 +1175,7 @@ func packageAgent(ctx context.Context, platforms []string, dependenciesVersion s
 // NOTE: after the build is done the caller must:
 // - delete archivePath and dropPath contents
 // - unset AGENT_DROP_PATH environment variable
-func collectPackageDependencies(platforms []string, packageVersion string, platformPackageSuffixes []string, packageTypes []mage.PackageType) (archivePath string, dropPath string) {
+func collectPackageDependencies(platforms []string, packageVersion string, packageTypes []devtools.PackageType, dependencies []packaging.BinarySpec) (archivePath, dropPath string) {
 	dropPath, found := os.LookupEnv(agentDropPath)
 
 	// try not to shadow too many variables
@@ -1090,22 +1187,22 @@ func collectPackageDependencies(platforms []string, packageVersion string, platf
 		dropPath = filepath.Join("build", "distributions", "elastic-agent-drop")
 		dropPath, err = filepath.Abs(dropPath)
 		if err != nil {
-			panic(err)
+			panic(fmt.Errorf("obtaining absolute path for default drop path: %w", err))
 		}
 
 		if mg.Verbose() {
 			log.Printf(">> Creating drop-in folder %+v \n", dropPath)
 		}
-		archivePath = movePackagesToArchive(dropPath, platformPackageSuffixes, packageVersion)
-
-		if hasSnapshotEnv() {
-			packageVersion = fmt.Sprintf("%s-SNAPSHOT", packageVersion)
-		}
+		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion, dependencies)
 
 		os.Setenv(agentDropPath, dropPath)
 
 		if devtools.ExternalBuild == true {
 
+			if mg.Verbose() {
+				log.Print(">>> Using external builds to collect components")
+			}
+
 			// Only log fatal logs for logs produced. This is the global logger
 			// used by github.com/elastic/elastic-agent/dev-tools/mage/downloads which can only be configured globally like this.
 			//
@@ -1117,19 +1214,32 @@ func collectPackageDependencies(platforms []string, packageVersion string, platf
 
 			errGroup, ctx := errgroup.WithContext(context.Background())
 			completedDownloads := &atomic.Int32{}
-			for _, spec := range manifest.ExpectedBinaries {
+
+			for _, spec := range dependencies {
 				for _, platform := range platforms {
+
 					if !spec.SupportsPlatform(platform) {
-						fmt.Printf("--- Binary %s does not support %s, download skipped\n", spec.BinaryName, platform)
+						log.Printf(">>> Binary %s does not support %s, download skipped\n", spec.BinaryName, platform)
 						continue
 					}
+
+					if mg.Verbose() {
+						log.Printf(">>> Looking for component %s/%s", spec.BinaryName, platform)
+					}
 					for _, pkgType := range packageTypes {
+						if mg.Verbose() {
+							log.Printf(">>> Evaluating pkgType %v for component %s/%s", pkgType, spec.BinaryName, platform)
+						}
 						if !spec.SupportsPackageType(pkgcommon.PackageType(pkgType)) {
+							log.Printf(">>> PkgType %v for component %s/%s not supported. Skipping...", pkgType, spec.BinaryName, platform)
 							continue
 						}
 						targetPath := filepath.Join(archivePath, manifest.PlatformPackages[platform])
 						os.MkdirAll(targetPath, 0o755)
 						packageName := spec.GetPackageName(packageVersion, platform)
+						if mg.Verbose() {
+							log.Printf(">>> Downloading package %s component %s/%s", packageName, spec.BinaryName, platform)
+						}
 						errGroup.Go(downloadBinary(ctx, spec.ProjectName, packageName, spec.BinaryName, platform, packageVersion, targetPath, completedDownloads))
 					}
 				}
@@ -1153,13 +1263,17 @@ func collectPackageDependencies(platforms []string, packageVersion string, platf
 
 				packagesCopied := 0
 
-				if !requiredPackagesPresent(pwd, b, packageVersion, platformPackageSuffixes) {
+				if !requiredPackagesPresent(pwd, b, packageVersion, platforms) {
 					fmt.Printf("--- Package %s\n", pwd)
 					cmd := exec.Command("mage", "package")
 					cmd.Dir = pwd
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
-					cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on")
+					cmd.Env = append(os.Environ(),
+						fmt.Sprintf("PWD=%s", pwd),
+						"AGENT_PACKAGING=on",
+						fmt.Sprintf("FIPS=%v", devtools.FIPSBuild),
+					)
 					if envVar := selectedPackageTypes(); envVar != "" {
 						cmd.Env = append(cmd.Env, envVar)
 					}
@@ -1171,7 +1285,8 @@ func collectPackageDependencies(platforms []string, packageVersion string, platf
 
 				// copy to new drop
 				sourcePath := filepath.Join(pwd, "build", "distributions")
-				for _, rp := range platformPackageSuffixes {
+				for _, pltf := range platforms {
+					rp := manifest.PlatformPackages[pltf]
 					files, err := filepath.Glob(filepath.Join(sourcePath, "*"+rp+"*"))
 					if err != nil {
 						panic(err)
@@ -1204,18 +1319,18 @@ func collectPackageDependencies(platforms []string, packageVersion string, platf
 			}
 		}
 	} else {
-		archivePath = movePackagesToArchive(dropPath, platformPackageSuffixes, packageVersion)
+		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion, dependencies)
 	}
 	return archivePath, dropPath
 }
 
-func removePythonWheels(matches []string, version string) []string {
+func removePythonWheels(matches []string, version string, dependencies []packaging.BinarySpec) []string {
 	if hasSnapshotEnv() {
 		version = fmt.Sprintf("%s-SNAPSHOT", version)
 	}
 
 	var wheels []string
-	for _, spec := range manifest.ExpectedBinaries {
+	for _, spec := range dependencies {
 		if spec.PythonWheel {
 			wheels = append(wheels, spec.GetPackageName(version, ""))
 		}
@@ -1232,8 +1347,12 @@ func removePythonWheels(matches []string, version string) []string {
 
 // flattenDependencies will extract all the required packages collected in archivePath and dropPath in flatPath and
 // regenerate checksums
-func flattenDependencies(requiredPackages []string, packageVersion, archivePath, dropPath, flatPath string, manifestResponse *manifest.Build) {
-	for _, rp := range requiredPackages {
+func flattenDependencies(platforms []string, dependenciesVersion, archivePath, dropPath, flatPath string, manifestResponse *manifest.Build, dependencies []packaging.BinarySpec) {
+
+	for _, pltf := range platforms {
+
+		rp := manifest.PlatformPackages[pltf]
+
 		targetPath := filepath.Join(archivePath, rp)
 		versionedFlatPath := filepath.Join(flatPath, rp)
 		versionedDropPath := filepath.Join(dropPath, rp)
@@ -1258,7 +1377,7 @@ func flattenDependencies(requiredPackages []string, packageVersion, archivePath,
 
 		// never flatten any python wheels, the packages.yml and docker should handle
 		// those specifically so that the python wheels are installed into the container
-		matches = removePythonWheels(matches, packageVersion)
+		matches = removePythonWheels(matches, dependenciesVersion, dependencies)
 
 		if mg.Verbose() {
 			log.Printf("--- Extracting into the flat dir: %v", matches)
@@ -1288,9 +1407,9 @@ func flattenDependencies(requiredPackages []string, packageVersion, archivePath,
 		checksums := make(map[string]string)
 		// Operate on the files depending on if we're packaging from a manifest or not
 		if manifestResponse != nil {
-			checksums = devtools.ChecksumsWithManifest(rp, versionedFlatPath, versionedDropPath, manifestResponse)
+			checksums = devtools.ChecksumsWithManifest(pltf, dependenciesVersion, versionedFlatPath, versionedDropPath, manifestResponse, dependencies)
 		} else {
-			checksums = devtools.ChecksumsWithoutManifest(versionedFlatPath, versionedDropPath, packageVersion)
+			checksums = devtools.ChecksumsWithoutManifest(pltf, dependenciesVersion, versionedFlatPath, versionedDropPath, dependencies)
 		}
 
 		if err := appendComponentChecksums(versionedDropPath, checksums); err != nil {
@@ -1311,7 +1430,25 @@ type branchInfo struct {
 // FetchLatestAgentCoreStagingDRA is a mage target that will retrieve the elastic-agent-core DRA artifacts and
 // place them under build/dra/buildID. It accepts one argument that has to be a release branch present in staging DRA
 func FetchLatestAgentCoreStagingDRA(ctx context.Context, branch string) error {
-	branchInfo, err := findLatestBuildForBranch(ctx, baseURLForStagingDRA, branch)
+
+	elasticAgentCoreComponents := packaging.FilterComponents(packaging.WithProjectName(agentCoreProjectName), packaging.WithFIPS(devtools.FIPSBuild))
+
+	if len(elasticAgentCoreComponents) != 1 {
+		return fmt.Errorf(
+			"found an unexpected number of elastic-agent-core components (should be 1) [projectName: %q, fips: %v]: %v",
+			agentCoreProjectName,
+			devtools.FIPSBuild,
+			elasticAgentCoreComponents,
+		)
+	}
+
+	elasticAgentCoreComponent := elasticAgentCoreComponents[0]
+
+	branchInformation, err := findLatestBuildForBranch(ctx, baseURLForSnapshotDRA, branch)
+
+	if err != nil {
+		return fmt.Errorf("getting latest build for branch %q: %v", err)
+	}
 
 	// Create a dir with the buildID at <root>/build/dra/<buildID>
 	repositoryRoot, err := findRepositoryRoot()
@@ -1324,14 +1461,19 @@ func FetchLatestAgentCoreStagingDRA(ctx context.Context, branch string) error {
 		return fmt.Errorf("creating %q directory: %w", err)
 	}
 
-	artifacts, err := downloadDRAArtifacts(ctx, branchInfo.ManifestURL, draDownloadDir, agentCoreProjectName)
+	build, err := manifest.DownloadManifest(ctx, branchInformation.ManifestURL)
+	if err != nil {
+		return fmt.Errorf("downloading manifest from %q: %w", branchInformation.ManifestURL, err)
+	}
+
+	artifacts, err := downloadDRAArtifacts(ctx, &build, build.Version, draDownloadDir, elasticAgentCoreComponent)
 	if err != nil {
-		return fmt.Errorf("downloading DRA artifacts from %q: %w", branchInfo.ManifestURL, err)
+		return fmt.Errorf("downloading DRA artifacts from %q: %w", branchInformation.ManifestURL, err)
 	}
 
 	fmt.Println("Downloaded agent core DRAs:")
 	for k := range artifacts {
-		fmt.Println(k)
+		fmt.Println(filepath.Join(draDownloadDir, k))
 	}
 	return nil
 }
@@ -1365,7 +1507,7 @@ func PackageUsingDRA(ctx context.Context) error {
 		return fmt.Errorf("setting agent commit hash %q: %w", agentCoreProject.CommitHash, err)
 	}
 
-	return packageAgent(ctx, platforms, parsedVersion.VersionWithPrerelease(), manifestResponse, mg.F(devtools.UseElasticAgentPackaging), mg.F(useDRAAgentBinaryForPackage, devtools.ManifestURL), devtools.SelectedPackageTypes)
+	return packageAgent(ctx, platforms, parsedVersion.VersionWithPrerelease(), manifestResponse, mg.F(devtools.UseElasticAgentPackaging), mg.F(useDRAAgentBinaryForPackage, devtools.ManifestURL, parsedVersion.VersionWithPrerelease()), devtools.SelectedPackageTypes)
 }
 
 func downloadManifestAndSetVersion(ctx context.Context, url string) (*manifest.Build, *version.ParsedSemVer, error) {
@@ -1450,44 +1592,11 @@ func mapManifestPlatformToAgentPlatform(manifestPltf string) (string, bool) {
 	return mappedPltf, found
 }
 
-func filterPackagesByPlatform(pkgs map[string]manifest.Package) map[string]manifest.Package {
-	if mg.Verbose() {
-		log.Printf("unfiltered packages: %v", pkgs)
-	}
-	platforms := devtools.Platforms.Names()
-	filteredPackages := map[string]manifest.Package{}
-	for pkgName, pkgDesc := range pkgs {
-		if mg.Verbose() {
-			log.Printf("checking if %s:%v should be included", pkgName, pkgDesc)
-		}
-		for _, pkgOS := range pkgDesc.Os {
-			platformString, _ := mapManifestPlatformToAgentPlatform(fmt.Sprintf("%s/%s", pkgOS, pkgDesc.Architecture))
-			if slices.Contains(platforms, platformString) {
-				if mg.Verbose() {
-					log.Printf("platforms include %s", platformString)
-				}
-				filteredPackages[pkgName] = pkgDesc
-				break
-			}
-		}
-	}
-	if mg.Verbose() {
-		log.Printf("filtered packages: %v", filteredPackages)
-	}
-	return filteredPackages
-}
-
-func downloadDRAArtifacts(ctx context.Context, manifestUrl string, downloadDir string, projects ...string) (map[string]manifest.Package, error) {
-	build, err := manifest.DownloadManifest(ctx, manifestUrl)
-	if err != nil {
-		return nil, fmt.Errorf("downloading manifest from %q: %w", manifestUrl, err)
-	}
+func downloadDRAArtifacts(ctx context.Context, build *manifest.Build, version string, draDownloadDir string, components ...packaging.BinarySpec) (map[string]manifest.Package, error) {
 
-	// Create a dir with the buildID at <downloadDir>/<buildID>
-	draDownloadDir := filepath.Join(downloadDir, build.BuildID)
-	err = os.MkdirAll(draDownloadDir, 0o770)
+	err := os.MkdirAll(draDownloadDir, 0o770)
 	if err != nil {
-		return nil, fmt.Errorf("creating %q directory: %w", err)
+		return nil, fmt.Errorf("creating %q directory: %w", draDownloadDir, err)
 	}
 
 	// sync access to the downloadedArtifacts map
@@ -1495,60 +1604,93 @@ func downloadDRAArtifacts(ctx context.Context, manifestUrl string, downloadDir s
 	downloadedArtifacts := map[string]manifest.Package{}
 	errGrp, errCtx := errgroup.WithContext(ctx)
 
-	for _, projectName := range projects {
-		project, ok := build.Projects[projectName]
-		if !ok {
-			return nil, fmt.Errorf("project %q not found in manifest at %q", projectName, manifestUrl)
-		}
+	var downloaders []func() error
 
-		if mg.Verbose() {
-			log.Printf("build %q project %s packages: %+v", build.BuildID, projectName, project)
-		}
-		// filter down the packages to the platforms we are building/support
-		filteredPackages := filterPackagesByPlatform(project.Packages)
-		if mg.Verbose() {
-			log.Printf("packages to download: %v", filteredPackages)
-		}
-		for pkgName, pkgDesc := range filteredPackages {
-			downloadFunc := func(pkgName string, pkgDesc manifest.Package) func() error {
-				return func() error {
-					artifactDownloadPath := filepath.Join(draDownloadDir, pkgName)
-					err := manifest.DownloadPackage(errCtx, pkgDesc.URL, artifactDownloadPath)
-					if err != nil {
-						return fmt.Errorf("downloading %q: %w", pkgName, err)
-					}
+	for _, comp := range components {
+		for _, platform := range devtools.Platforms.Names() {
 
-					// download the SHA to check integrity
-					artifactSHADownloadPath := filepath.Join(draDownloadDir, pkgName+sha512FileExt)
-					err = manifest.DownloadPackage(errCtx, pkgDesc.ShaURL, artifactSHADownloadPath)
-					if err != nil {
-						return fmt.Errorf("downloading SHA for %q: %w", pkgName, err)
-					}
+			if !comp.SupportsPlatform(platform) {
+				if mg.Verbose() {
+					log.Printf("skipping download of %s/%s for platform %s as it's not supported", comp.ProjectName, comp.BinaryName, platform)
+				}
+				continue
+			}
 
-					err = download.VerifyChecksum(sha512.New(), artifactDownloadPath, artifactSHADownloadPath)
-					if err != nil {
-						return fmt.Errorf("validating checksum for %q: %w", pkgName, err)
-					}
+			project, ok := build.Projects[comp.ProjectName]
+			if !ok {
+				return nil, fmt.Errorf("project %q not found in manifest", comp.ProjectName)
+			}
 
-					// we should probably validate the signature, it can be done later as we return the package metadata
-					// see https://github.com/elastic/elastic-agent/issues/4445
+			if mg.Verbose() {
+				log.Printf("build %q project %s packages: %+v", build.BuildID, comp.ProjectName, project)
+			}
 
-					mx.Lock()
-					defer mx.Unlock()
-					downloadedArtifacts[artifactDownloadPath] = pkgDesc
+			packageName := comp.GetPackageName(version, platform)
 
-					return nil
-				}
-			}(pkgName, pkgDesc)
+			if packageSpec, ok := project.Packages[packageName]; ok {
+				downloadFunc := func(pkgName string, pkgDesc manifest.Package) func() error {
+					return func() error {
+						artifactDownloadPath := filepath.Join(draDownloadDir, pkgName)
+						err := manifest.DownloadPackage(errCtx, pkgDesc.URL, artifactDownloadPath)
+						if err != nil {
+							return fmt.Errorf("downloading %q: %w", pkgName, err)
+						}
+
+						// download the SHA to check integrity
+						artifactSHADownloadPath := filepath.Join(draDownloadDir, pkgName+sha512FileExt)
+						err = manifest.DownloadPackage(errCtx, pkgDesc.ShaURL, artifactSHADownloadPath)
+						if err != nil {
+							return fmt.Errorf("downloading SHA for %q: %w", pkgName, err)
+						}
+
+						err = download.VerifyChecksum(sha512.New(), artifactDownloadPath, artifactSHADownloadPath)
+						if err != nil {
+							return fmt.Errorf("validating checksum for %q: %w", pkgName, err)
+						}
+
+						// we should probably validate the signature, it can be done later as we return the package metadata
+						// see https://github.com/elastic/elastic-agent/issues/4445
+
+						mx.Lock()
+						defer mx.Unlock()
+						downloadedArtifacts[pkgName] = pkgDesc
+
+						return nil
+					}
+				}(packageName, packageSpec)
+				downloaders = append(downloaders, downloadFunc)
+			} else {
+				return nil, fmt.Errorf("package %q not found in project %q", packageName, comp.ProjectName)
+			}
 
-			errGrp.Go(downloadFunc)
 		}
 	}
 
+	for _, downloader := range downloaders {
+		errGrp.Go(downloader)
+	}
+
 	return downloadedArtifacts, errGrp.Wait()
 }
 
-func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error {
+func useDRAAgentBinaryForPackage(ctx context.Context, manifestURL string, version string) error {
+
+	elasticAgentCoreComponents := packaging.FilterComponents(packaging.WithProjectName(agentCoreProjectName), packaging.WithFIPS(devtools.FIPSBuild))
+
+	if len(elasticAgentCoreComponents) != 1 {
+		return fmt.Errorf(
+			"found an unexpected number of elastic-agent-core components (should be 1) [projectName: %q, fips: %v]: %v",
+			agentCoreProjectName,
+			devtools.FIPSBuild,
+			elasticAgentCoreComponents,
+		)
+	}
+
+	elasticAgentCoreComponent := elasticAgentCoreComponents[0]
+	if mg.Verbose() {
+		log.Printf("found elastic-agent-core component used: %v", elasticAgentCoreComponent)
+	}
+
 	repositoryRoot, err := findRepositoryRoot()
 	if err != nil {
 		return fmt.Errorf("looking up for repository root: %w", err)
@@ -1556,8 +1698,16 @@ func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error
 
 	downloadDir := filepath.Join(repositoryRoot, "build", "dra")
 
+	manifestResponse, err := manifest.DownloadManifest(ctx, manifestURL)
+	if err != nil {
+		return fmt.Errorf("downloading manifest from %s: %w", manifestURL, err)
+	}
+
 	// fetch the agent-core DRA artifacts for the current branch
-	artifacts, err := downloadDRAArtifacts(ctx, manifestUrl, downloadDir, agentCoreProjectName)
+
+	// Create a dir with the buildID at <downloadDir>/<buildID>
+	draDownloadDir := filepath.Join(downloadDir, manifestResponse.BuildID)
+	artifacts, err := downloadDRAArtifacts(ctx, &manifestResponse, version, draDownloadDir, elasticAgentCoreComponent)
 	if err != nil {
 		return fmt.Errorf("downloading elastic-agent-core artifacts: %w", err)
 	}
@@ -1565,39 +1715,43 @@ func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error
 	mg.Deps(EnsureCrossBuildOutputDir)
 
 	// place the artifacts where the package.yml expects them (in build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}})
-	for artifactFile, artifactMeta := range artifacts {
+	for _, platform := range devtools.Platforms.Names() {
+		if !elasticAgentCoreComponent.SupportsPlatform(platform) {
+			continue
+		}
+
+		expectedPackageName := elasticAgentCoreComponent.GetPackageName(version, platform)
+
+		artifactMetadata, ok := artifacts[expectedPackageName]
+
+		if !ok {
+			return fmt.Errorf("elastic-agent-core package %q has not been downloaded for platform %s", expectedPackageName, platform)
+		}
+
 		// uncompress the archive first
 		const extractionSubdir = "extracted"
-		extractDir := filepath.Join(filepath.Dir(artifactFile), extractionSubdir)
+		extractDir := filepath.Join(draDownloadDir, extractionSubdir)
+		artifactFile := filepath.Join(draDownloadDir, expectedPackageName)
 		err = devtools.Extract(artifactFile, extractDir)
 		if err != nil {
 			return fmt.Errorf("extracting %q: %w", artifactFile, err)
 		}
 
-		// we can take a shortcut as the archive contains a subdirectory with the same name of the file minus the extension
-		// and we have to rename the binary file while moving using the same name
-		artifactBaseFileName := filepath.Base(artifactFile)
-		artifactBaseFileExt := filepath.Ext(artifactBaseFileName)
-		if artifactBaseFileExt == ".gz" {
-			// get the next extension to get .tar.gz if it's there
-			artifactBaseFileExt = filepath.Ext(strings.TrimSuffix(artifactBaseFileName, artifactBaseFileExt)) + artifactBaseFileExt
-		}
-
 		// this is the directory name where we can find the agent executable
-		targetArtifactName := strings.TrimSuffix(artifactBaseFileName, artifactBaseFileExt)
-		const agentBinaryName = "elastic-agent"
+		targetArtifactName := elasticAgentCoreComponent.GetRootDir(version, platform)
 		binaryExt := ""
-		if slices.Contains(artifactMeta.Os, "windows") {
+		if slices.Contains(artifactMetadata.Os, "windows") {
 			binaryExt += ".exe"
 		}
-		srcBinaryPath := filepath.Join(extractDir, targetArtifactName, agentBinaryName+binaryExt)
+
+		srcBinaryPath := filepath.Join(extractDir, targetArtifactName, elasticAgentCoreComponent.BinaryName+binaryExt)
 		srcStat, err := os.Stat(srcBinaryPath)
 		if err != nil {
 			return fmt.Errorf("stat source binary name %q: %w", srcBinaryPath, err)
 		}
 		log.Printf("Source binary %q stat: %+v", srcBinaryPath, srcStat)
 
-		dstPlatform, _ := mapManifestPlatformToAgentPlatform(fmt.Sprintf("%s-%s", artifactMeta.Os[0], artifactMeta.Architecture))
+		dstPlatform, _ := mapManifestPlatformToAgentPlatform(fmt.Sprintf("%s-%s", artifactMetadata.Os[0], artifactMetadata.Architecture))
 		dstFileName := fmt.Sprintf("elastic-agent-%s", dstPlatform) + binaryExt
 		dstBinaryPath := filepath.Join(repositoryRoot, "build", "golang-crossbuild", dstFileName)
 
@@ -1610,6 +1764,7 @@ func useDRAAgentBinaryForPackage(ctx context.Context, manifestUrl string) error
 			return fmt.Errorf("copying %q to %q: %w", srcBinaryPath, dstBinaryPath, err)
 		}
 	}
+
 	return nil
 }
 
@@ -1656,7 +1811,7 @@ func appendComponentChecksums(versionedDropPath string, checksums map[string]str
 }
 
 // movePackagesToArchive Create archive folder and move any pre-existing artifacts into it.
-func movePackagesToArchive(dropPath string, platformPackageSuffixes []string, packageVersion string) string {
+func movePackagesToArchive(dropPath string, platforms []string, packageVersion string, dependencies []packaging.BinarySpec) string {
 	archivePath := filepath.Join(dropPath, "archives")
 	os.MkdirAll(archivePath, 0o755)
 
@@ -1672,12 +1827,13 @@ func movePackagesToArchive(dropPath string, platformPackageSuffixes []string, pa
 	matches = append(matches, zipMatches...)
 
 	for _, f := range matches {
-		for _, packageSuffix := range platformPackageSuffixes {
+		for _, pltf := range platforms {
+			packageSuffix := manifest.PlatformPackages[pltf]
 			if mg.Verbose() {
 				log.Printf("--- Evaluating moving dependency %s to archive path %s\n", f, archivePath)
 			}
 			// if the matched file name does not contain the platform suffix and it's not a platform-independent package, skip it
-			if !strings.Contains(f, packageSuffix) && !isPlatformIndependentPackage(f, packageVersion) {
+			if !strings.Contains(f, packageSuffix) && !isPlatformIndependentPackage(f, packageVersion, dependencies) {
 				if mg.Verbose() {
 					log.Printf("--- Skipped moving dependency %s to archive path\n", f)
 				}
@@ -1702,7 +1858,10 @@ func movePackagesToArchive(dropPath string, platformPackageSuffixes []string, pa
 			}
 
 			// Platform-independent packages need to be placed in the archive sub-folders for all platforms, copy instead of moving
-			if isPlatformIndependentPackage(f, packageVersion) {
+			if isPlatformIndependentPackage(f, packageVersion, dependencies) {
+				if mg.Verbose() {
+					log.Printf("copying %s to %s as it is a platform independent package", f, packageVersion)
+				}
 				if err := copyFile(f, targetPath); err != nil {
 					panic(fmt.Errorf("failed copying file: %w", err))
 				}
@@ -1747,15 +1906,30 @@ func copyFile(src, dst string) error {
 	return nil
 }
 
-func isPlatformIndependentPackage(f string, packageVersion string) bool {
+func isPlatformIndependentPackage(f string, packageVersion string, dependencies []packaging.BinarySpec) bool {
 	fileBaseName := filepath.Base(f)
-	for _, spec := range manifest.ExpectedBinaries {
+	if mg.Verbose() {
+		log.Printf("isPlatformIndependentPackage(%s, %s, %v)", f, packageVersion, dependencies)
+	}
+	for _, spec := range dependencies {
+		if mg.Verbose() {
+			log.Printf("evaluating if %s is a platform independent package", f)
+		}
 		packageName := spec.GetPackageName(packageVersion, "")
 		// as of now only python wheels packages are platform-independent
+		if mg.Verbose() {
+			log.Printf("checking expected package name %s against actual file name %s", packageName, fileBaseName)
+		}
 		if spec.PythonWheel && (fileBaseName == packageName || fileBaseName == packageName+sha512FileExt) {
+			if mg.Verbose() {
+				log.Printf("%s is a platform independent package", f)
+			}
 			return true
 		}
 	}
+	if mg.Verbose() {
+		log.Printf("%s is NOT a platform independent package", f)
+	}
 	return false
 }
 
diff --git a/pkg/version/version_parser.go b/pkg/version/version_parser.go
index 84d8f95e4ba..8ecd95dcec0 100644
--- a/pkg/version/version_parser.go
+++ b/pkg/version/version_parser.go
@@ -13,7 +13,7 @@ import (
 	"strings"
 )
 
-// regexp taken from https://semver.org/ (see the FAQ section/Is there a suggested regular expression (RegEx) to check a SemVer string?)
+// semVerFormat is a regexp taken from https://semver.org/ (see the FAQ section/Is there a suggested regular expression (RegEx) to check a SemVer string?)
 const semVerFormat = `^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$`
 const numericPrereleaseTokenFormat = `\d+`
 const preReleaseSeparator = "-"
diff --git a/testing/integration/upgrade_standalone_same_commit_test.go b/testing/integration/upgrade_standalone_same_commit_test.go
index 7c8156a9230..7422e1aa8e8 100644
--- a/testing/integration/upgrade_standalone_same_commit_test.go
+++ b/testing/integration/upgrade_standalone_same_commit_test.go
@@ -374,8 +374,8 @@ func generateNewManifestContent(t *testing.T, manifestReader io.Reader, newVersi
 	t.Logf("read old manifest: %+v", oldManifest)
 
 	// replace manifest content
-	newManifest, err := mage.GeneratePackageManifest("elastic-agent", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6])
-	require.NoErrorf(t, err, "GeneratePackageManifest(%v, %v, %v, %v) failed", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6])
+	newManifest, err := mage.GeneratePackageManifest("elastic-agent", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6], oldManifest.Package.Fips)
+	require.NoErrorf(t, err, "GeneratePackageManifest(%v, %v, %v, %v, %v) failed", newVersion.String(), oldManifest.Package.Snapshot, oldManifest.Package.Hash, oldManifest.Package.Hash[:6], oldManifest.Package.Fips)
 
 	t.Logf("generated new manifest:\n%s", newManifest)
 	return newManifest