diff --git a/.gitignore b/.gitignore
index 3c87b13..434ce64 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,5 @@
 /gpg-117E8C168EFE3A7F.key
-/weldr-client-35.1.tar.gz
+/weldr-client-35.4.tar.gz
+/weldr-client-35.4.tar.gz.asc
+/weldr-client-35.5.tar.gz
+/weldr-client-35.5.tar.gz.asc
diff --git a/sources b/sources
index b219810..38de0fe 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
-SHA512 (gpg-117E8C168EFE3A7F.key) = 36712a4e05cbb2ca139e777d8b2abe4ee0536f970208c2c2c1a50a2294979b828a9d6abcbad1dce3cc015a0c4364ab87ab04cb459811ad3aca5cf6611093b9bd
-SHA512 (weldr-client-35.1.tar.gz) = 8508b446c44eae917710083c8185054e3a89f799723b71e2d0069ce35c653ea2adabcab3b8d7d9a903f127798368933ba765c603ebed4fe3f6c6187c032a793c
+SHA512 (weldr-client-35.5.tar.gz) = 81f4a97ce1f1081ea27d0f5e3513ef705586b5b29ff4f9047e067888af4784472c79203397aa8e567414f3e92a1b1fef55412d0e151adaef01f96cc5ec0cceb3
+SHA512 (weldr-client-35.5.tar.gz.asc) = 3116b9481bf43eea82029b15bbc972341ef2cc9e73e97bf60490458085cba0f4fe0adb4651688101ffaa2e41f5f5f112a5a6555be3253d3666faf801e3d157cc
+SHA512 (gpg-117E8C168EFE3A7F.key) = 9c760460e3227848c99a1178828512056ac04f518f98bdab5ef36d2aa31c4e5dcda3800d7141cfaf7f2acd0f7f35d4b9971083b6f14f8a36231b74041d4ed88d
diff --git a/weldr-client-35.1.tar.gz.asc b/weldr-client-35.1.tar.gz.asc
deleted file mode 100644
index df7d102..0000000
--- a/weldr-client-35.1.tar.gz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEtMa0UeT6i0IyyhkeEX6MFo7+On8FAmB0v1oACgkQEX6MFo7+
-On/fBQgAheXV7RRzQEKiYTc53dNKY2+jTzy++W2BpBnpMVIkcu8LjSLQ9sD2AF5o
-90aeeTnMs4o2YKjInj2Rl/TfnA0JfHl+es/QcpKwM6Tl7Znn9570hRy10JuRojSe
-4Lq8wxcr8m5oxAzE1UAvz4ws0xdgHwvhPJJUfMNXANj5BX7M/5A3493zDAkwvQ9H
-3VdPenPgZk2nwjml0IgtTR+sRn1aJC0yXYtcP2bAlOV3sAklVkIGhL3E9bh78Bbj
-oRCN50Bw3jrFmhisfT1HhKtW0B64mg12uIXAqi0S471O4eiy4cF6SFh9L5bSqaTZ
-Zw1nTyzykUR0DCtQ6n/Vcqo7jl8Fsw==
-=YWa+
------END PGP SIGNATURE-----
diff --git a/weldr-client.spec b/weldr-client.spec
index 4c94b97..45995a8 100644
--- a/weldr-client.spec
+++ b/weldr-client.spec
@@ -1,18 +1,22 @@
 # Pass --with tests to rpmbuild to build composer-cli-tests
 %bcond_with tests
+# Pass --without signed to skip gpg signed tar.gz (DO NOT DO THAT IN PRODUCTION)
+%bcond_without signed
 
-%global goipath         github.com/osbuild/weldr-client
+%global goipath         github.com/osbuild/weldr-client/v2
 
 Name:      weldr-client
-Version:   35.1
-Release:   3%{?dist}
+Version:   35.5
+Release:   2%{?dist}
 # Upstream license specification: Apache-2.0
 License:   ASL 2.0
 Summary:   Command line utility to control osbuild-composer
 Url:       %{gourl}
 Source0:   https://github.com/osbuild/weldr-client/releases/download/v%{version}/%{name}-%{version}.tar.gz
+%if %{with signed}
 Source1:   https://github.com/osbuild/weldr-client/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc
 Source2:   https://keys.openpgp.org/vks/v1/by-fingerprint/117E8C168EFE3A7F#/gpg-117E8C168EFE3A7F.key
+%endif
 
 Obsoletes: composer-cli < 35.0
 Provides: composer-cli = %{version}-%{release}
@@ -37,7 +41,9 @@ BuildRequires: gnupg2
 Command line utility to control osbuild-composer
 
 %prep
+%if %{with signed}
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%endif
 %if 0%{?rhel}
 %forgeautosetup -p1
 %else
@@ -45,6 +51,8 @@ Command line utility to control osbuild-composer
 %endif
 
 %build
+export LDFLAGS="-X %{goipath}/cmd/composer-cli/root.Version=%{version} "
+
 %if 0%{?rhel}
 GO_BUILD_PATH=$PWD/_build
 install -m 0755 -vd $(dirname $GO_BUILD_PATH/src/%{goipath})
@@ -58,28 +66,23 @@ export GOFLAGS=-mod=vendor
 export GOPATH="%{gobuilddir}:${GOPATH:+${GOPATH}:}%{?gopath}"
 export GO111MODULE=off
 %endif
+%gobuild -o composer-cli %{goipath}/cmd/composer-cli
 
-export LDFLAGS="-X github.com/osbuild/weldr-client/cmd/composer-cli/root.Version=%{version} "
-make GOBUILDFLAGS="%{gobuildflags}" build
 
 ## TODO
 ##make man
 
 %if %{with tests} || 0%{?rhel}
+export BUILDTAGS="integration"
+
 # Build test binaries with `go test -c`, so that they can take advantage of
-# golang's testing package. The golang rpm macros don't support building them
+# golang's testing package. The RHEL golang rpm macros don't support building them
 # directly. Thus, do it manually, taking care to also include a build id.
 #
-# On Fedora, also turn off go modules and set the path to the one into which
+# On Fedora go modules have already been turned off, and the path set to the one into which
 # the golang-* packages install source code.
-%if 0%{?fedora}
-export GOPATH="%{gobuilddir}:${GOPATH:+${GOPATH}:}%{?gopath}"
-export GO111MODULE=off
-%endif
-
-export LDFLAGS="-X github.com/osbuild/weldr-client/cmd/composer-cli/root.Version=%{version} "
-export BUILDTAGS="integration"
-make GOBUILDFLAGS="%{gobuildflags}" integration
+export LDFLAGS="${LDFLAGS:-} -linkmode=external -compressdwarf=false -B 0x$(od -N 20 -An -tx1 -w100 /dev/urandom | tr -d ' ')"
+go test -c -tags=integration -buildmode pie -compiler gc -ldflags="${LDFLAGS}" -o composer-cli-tests %{goipath}/weldr
 %endif
 
 %install
@@ -95,8 +98,10 @@ export GOPATH="%{gobuilddir}:${GOPATH:+${GOPATH}:}%{?gopath}"
 export GO111MODULE=off
 %endif
 
-export LDFLAGS="-X github.com/osbuild/weldr-client/cmd/composer-cli/root.Version=%{version} "
-make GOBUILDFLAGS="%{gotestflags}" test
+# Run the unit tests
+export LDFLAGS="-X %{goipath}/cmd/composer-cli/root.Version=%{version} "
+make test
+
 
 %files
 %license LICENSE
@@ -121,27 +126,24 @@ composer-cli package.
 
 
 %changelog
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 35.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+* Sat Jul 09 2022 Maxwell G <gotmax@e.email> - 35.5-2
+- Rebuild for CVE-2022-{24675,28327,29526} in golang
 
-* Thu Apr 22 2021 Brian C. Lane <bcl@redhat.com> - 35.1-2
-- Obsolete composer-cli < 35.0 instead of 34.0
-  Patch until next upstream release
-
-* Mon Apr 12 2021 Brian C. Lane <bcl@redhat.com> - 35.1-1
-- New release: 35.1 (bcl)
-- spec: Change release back to 1 (bcl)
-- spec: Move testify BuildRequires into fedora block (bcl)
-- vendor: Add vendored dependencies for RHEL (bcl)
-- tools: Add prepare-source.sh vendoring helper script (bcl)
-- Makefile: skip vendor directory for check target (bcl)
-- spec: Bump release to 2 (bcl)
-- spec: Fix BuildRequires for tests (bcl)
-- Makefile: Remove executable from bash completion (bcl)
-- Makefile: Only use GOBUILDFLAGS (bcl)
-- spec: Bump release to 2 (bcl)
-- spec: Add doc files (bcl)
-- spec: Add gpg signature verification (bcl)
-- spec: Use git-core instead of git (bcl)
-- spec: Set License to Apache 2.0 (bcl)
-- spec: Update Source urls with new project location (bcl)
+* Mon Feb 14 2022 Brian C. Lane <bcl@redhat.com> - 35.5-1
+- New release: 35.5 (bcl)
+- docs: Explain how to undo blueprints delete (bcl)
+- test: server status no longer returns devel (bcl)
+- Use GetFrozenBlueprintsTOML for blueprints freeze save (bcl)
+- Add a test for float uid/gid in frozen blueprint (bcl)
+- Use GetBlueprintsTOML for blueprints save (bcl)
+- test: Add a test for float uid/gid in saved blueprint (bcl)
+- build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.0.0 (49699333+dependabot[bot])
+- tests: trigger on push to main (jrusz)
+- build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (49699333+dependabot[bot])
+- ci: add keystore for sonarqube (jrusz)
+- spec: Switch to using %%gobuild macro on Fedora (bcl)
+- ci: change workflow name (jrusz)
+- ci: add gitlab-ci and sonarqube (jrusz)
+- doc: fix example links from the README (tdecacqu)
+- build(deps): bump actions/checkout from 2.3.4 to 2.4.0 (49699333+dependabot[bot])
+- ci: Enable Coverity Scan tool (atodorov)