diff --git a/.gitignore b/.gitignore
index d87a2f4..1d99ef6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/oath-toolkit-2.6.7.tar.gz
+SOURCES/oath-toolkit-2.6.12.tar.gz
+SOURCES/oath-toolkit-2.6.12.tar.gz.sig
diff --git a/.oath-toolkit.metadata b/.oath-toolkit.metadata
index 78e1a7f..075b122 100644
--- a/.oath-toolkit.metadata
+++ b/.oath-toolkit.metadata
@@ -1 +1,2 @@
-43daea1daab55ff3d5282fdcaec5f23764ff8fb4  SOURCES/oath-toolkit-2.6.7.tar.gz
+0bfb6ad29d59628487c9e180c7a43f4ca301e4d1  SOURCES/oath-toolkit-2.6.12.tar.gz
+3566788fe7378c51f53e542c89f0388bf1a11f63  SOURCES/oath-toolkit-2.6.12.tar.gz.sig
diff --git a/SOURCES/keyring.asc b/SOURCES/keyring.asc
new file mode 100644
index 0000000..fcb2e44
--- /dev/null
+++ b/SOURCES/keyring.asc
@@ -0,0 +1,23 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9fV+QlTmXxo2naObDuGtw5
+8YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9zZWZzc29uLm9yZz6IlgQT
+FggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBLHSvRN1vst4TPT4xNc8
+9jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA+wUa06RD5e5VTCxvSWtP
+S75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fsFCDIGaEM2Yn6Vb2huzzT
+1Fw/BLg4BFySz2oSCisGAQQBl1UBBQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmd
+JyYPt3lNHMd6HAMBCAeIfgQYFggAJgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+
+BQJl/YgwBQkLehDGAAoJENc89jjFPAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2i
+CTEnyFmbUcP9+gh6APoDsXalVd2cOGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40Argz
+BFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAxI2hIX4HK9bQTpNVei708oNr1Klm8
+qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0+MTXPPY4xTwGvgUCZf2IKwUJC3oQ
+qgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9RcisI/kdFogUCXJLPgQAKCRBRcisI
+/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE8GZHYNuFHmM9FEQS6AD6A4x5aYvo
+Y6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4JENc89jjFPAa+GcYA/26YQY05bLtn
+XiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9sHSoU8OfTwmTiEnGwLlsV7QJclZg3
+YNz/Ypcp9TqQBrgzBFySz3UWCSsGAQQB2kcPAQEHQLzCFcHHrKzVSPDDarZPYqn8
+9H5TPaxwcORgRg+4DagEiH4EGBYIACYCGyAWIQSx0r0Tdb7LeEz0+MTXPPY4xTwG
+vgUCZf2IJAUJC3oQrwAKCRDXPPY4xTwGvoxCAQCe/iMQZvHZmSQef5RnL1HOWy03
+OHtsZyhGLnQjsx7PhAEA3O2K0dNbPW2iZMcn9MXAOdmff3zkfNrWEWkZR/x5Xgw=
+=2aFT
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SOURCES/oath-toolkit-2.6.7-lockfile.patch b/SOURCES/oath-toolkit-2.6.12-lockfile.patch
similarity index 80%
rename from SOURCES/oath-toolkit-2.6.7-lockfile.patch
rename to SOURCES/oath-toolkit-2.6.12-lockfile.patch
index 0cd459a..72a2092 100644
--- a/SOURCES/oath-toolkit-2.6.7-lockfile.patch
+++ b/SOURCES/oath-toolkit-2.6.12-lockfile.patch
@@ -1,5 +1,5 @@
 diff --git a/liboath/global.c b/liboath/global.c
-index d442cf3..cfe1cee 100644
+index d1a0e4d..4c6e5ca 100644
 --- a/liboath/global.c
 +++ b/liboath/global.c
 @@ -25,9 +25,12 @@
@@ -61,7 +61,7 @@ index d442cf3..cfe1cee 100644
 +  return OATH_OK;
 +}
 diff --git a/liboath/liboath.map b/liboath/liboath.map
-index 2f247ff..e8f8cdf 100644
+index d980107..a001f6d 100644
 --- a/liboath/liboath.map
 +++ b/liboath/liboath.map
 @@ -75,6 +75,7 @@ LIBOATH_2.2.0
@@ -73,50 +73,50 @@ index 2f247ff..e8f8cdf 100644
  
  LIBOATH_2.6.0
 diff --git a/liboath/oath.h b/liboath/oath.h
-index fe93b9e..6660fb3 100644
+index 01b7a3c..a5d7787 100644
 --- a/liboath/oath.h
 +++ b/liboath/oath.h
-@@ -159,11 +159,15 @@ typedef enum
+@@ -159,11 +159,15 @@ extern "C"
  
  /* Global */
  
-+extern char *oath_lockfile_path;
++  extern char *oath_lockfile_path;
 +
- extern OATHAPI int oath_init (void);
- extern OATHAPI int oath_done (void);
+   extern OATHAPI int oath_init (void);
+   extern OATHAPI int oath_done (void);
  
- extern OATHAPI const char *oath_check_version (const char *req_version);
+   extern OATHAPI const char *oath_check_version (const char *req_version);
  
-+extern OATHAPI int oath_set_lockfile_path(const char *lockfile);
++  extern OATHAPI int oath_set_lockfile_path(const char *lockfile);
 +
  /* Error handling */
  
- extern OATHAPI const char *oath_strerror (int err);
+   extern OATHAPI const char *oath_strerror (int err);
 diff --git a/liboath/oath.h.in b/liboath/oath.h.in
-index eee284c..536cd30 100644
+index b8b4fbd..99e5fd0 100644
 --- a/liboath/oath.h.in
 +++ b/liboath/oath.h.in
-@@ -159,11 +159,15 @@ typedef enum
+@@ -159,11 +159,15 @@ extern "C"
  
  /* Global */
  
-+extern char *oath_lockfile_path;
++  extern char *oath_lockfile_path;
 +
- extern OATHAPI int oath_init (void);
- extern OATHAPI int oath_done (void);
+   extern OATHAPI int oath_init (void);
+   extern OATHAPI int oath_done (void);
  
- extern OATHAPI const char *oath_check_version (const char *req_version);
+   extern OATHAPI const char *oath_check_version (const char *req_version);
  
-+extern OATHAPI int oath_set_lockfile_path(const char *lockfile);
++  extern OATHAPI int oath_set_lockfile_path(const char *lockfile);
 +
  /* Error handling */
  
- extern OATHAPI const char *oath_strerror (int err);
+   extern OATHAPI const char *oath_strerror (int err);
 diff --git a/liboath/usersfile.c b/liboath/usersfile.c
-index ef03f39..7cc4347 100644
+index 68268a2..eb78fe0 100644
 --- a/liboath/usersfile.c
 +++ b/liboath/usersfile.c
-@@ -323,9 +323,18 @@ update_usersfile (const char *usersfile,
+@@ -325,9 +325,18 @@ update_usersfile (const char *usersfile,
    {
      int l;
  
@@ -136,10 +136,10 @@ index ef03f39..7cc4347 100644
 +        return OATH_PRINTF_ERROR;
 +    }
  
-     lockfh = fopen (lockfile, "w");
+     lockfh = fopen (lockfile, "wx");
      if (!lockfh)
 diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
-index b2afed7..307ffc2 100644
+index 2a85030..6a83195 100644
 --- a/pam_oath/pam_oath.c
 +++ b/pam_oath/pam_oath.c
 @@ -75,6 +75,7 @@ struct cfg
@@ -175,7 +175,7 @@ index b2afed7..307ffc2 100644
        D (("digits=%d", cfg->digits));
        D (("window=%d", cfg->window));
      }
-@@ -327,6 +332,17 @@ pam_sm_authenticate (pam_handle_t * pamh,
+@@ -369,6 +374,17 @@ pam_sm_authenticate (pam_handle_t *pamh,
        goto done;
      }
  
diff --git a/SPECS/oath-toolkit.spec b/SPECS/oath-toolkit.spec
index c186ccb..6ddb9e5 100644
--- a/SPECS/oath-toolkit.spec
+++ b/SPECS/oath-toolkit.spec
@@ -1,7 +1,8 @@
 Name:          oath-toolkit
-Version:       2.6.7
-Release:       2%{?dist}
-License:       GPLv3+
+Version:       2.6.12
+Release:       1%{?dist}
+# Automatically converted from old format: GPLv3+ - review is highly recommended.
+License:       GPL-3.0-or-later
 Summary:       One-time password components
 BuildRequires: make
 BuildRequires: pam-devel
@@ -12,9 +13,14 @@ BuildRequires: xmlsec1-devel
 BuildRequires: xmlsec1-openssl-devel
 BuildRequires: autoconf
 BuildRequires: automake
+BuildRequires: gnupg2
 Source0:       https://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz
+Source1:       https://download.savannah.nongnu.org/releases/%{name}/%{name}-%{version}.tar.gz.sig
+# gpg2 --recv-keys EDA21E94B565716F
+# gpg2 --armor --export D73CF638C53C06BE > keyring.asc
+Source2:       keyring.asc
 URL:           https://www.nongnu.org/oath-toolkit/
-Patch0:        oath-toolkit-2.6.7-lockfile.patch
+Patch0:        oath-toolkit-2.6.12-lockfile.patch
 
 %description
 The OATH Toolkit provide components for building one-time password
@@ -85,7 +91,8 @@ Documentation files for libpskc.
 
 %package -n oathtool
 Summary:  A command line tool for generating and validating OTPs
-License:  GPLv3+
+# Automatically converted from old format: GPLv3+ - review is highly recommended.
+License:  GPL-3.0-or-later
 # https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib)
 
@@ -109,8 +116,8 @@ Requires: pam
 A PAM module for pluggable login authentication for OATH.
 
 %prep
-%setup -q
-%patch0 -p1 -b .lockfile
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1
 
 %build
 autoreconf -fi
@@ -182,9 +189,54 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so
 
 %changelog
-* Thu Aug 03 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 2.6.7-2
+* Thu Oct 10 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.12-1
+- New version
+  Resolves: rhbz#2316447
+- Dropped privileges when operating on user files
+  Resolves: CVE-2024-47191
+
+* Thu Jul  25 2024 Miroslav Suchý <msuchy@redhat.com> - 2.6.11-6
+- convert license to SPDX
+
+* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.11-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Apr 11 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.11-4
+- Added gpg2 signature verification
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 11 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.11-1
+- New version
+  Resolves: rhbz#2257841
+
+* Wed Jan  3 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.10-1
+- New version
+  Resolves: rhbz#2256555
+
+* Thu Aug 03 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 2.6.9-2
 - Rebuilt for MSVSphere 9.2
 
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 11 2023 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.9-1
+- New version
+  Resolves: rhbz#2221430
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild