diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index c7a8b46c4d3..1623aa903c5 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -619,6 +619,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Ensure common proxy settings support in HTTP clients: proxy_disabled, proxy_url, proxy_headers and typical environment variables HTTP_PROXY, HTTPS_PROXY, NOPROXY. {pull}25219[25219]
 - `add_process_metadata` processor enrich process information with owner name and id. {issue}21068[21068] {pull}21111[21111]
 - Add proxy support for AWS functions. {pull}26832[26832]
+- Add sha256 digests to RPM packages. {issue}23670[23670]
 
 *Auditbeat*
 
diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
index ece8b73bfab..c2c454c873d 100644
--- a/dev-tools/mage/pkgtypes.go
+++ b/dev-tools/mage/pkgtypes.go
@@ -721,7 +721,10 @@ func runFPM(spec PackageSpec, packageType PackageType) error {
 		"--architecture", spec.Arch,
 	)
 	if packageType == RPM {
-		args = append(args, "--rpm-rpmbuild-define", "_build_id_links none")
+		args = append(args,
+			"--rpm-rpmbuild-define", "_build_id_links none",
+			"--rpm-digest", "sha256",
+		)
 	}
 	if spec.Version != "" {
 		args = append(args, "--version", spec.Version)
diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
index 5134a24e22d..b721b730c6a 100644
--- a/dev-tools/mage/settings.go
+++ b/dev-tools/mage/settings.go
@@ -38,7 +38,7 @@ import (
 )
 
 const (
-	fpmVersion = "1.11.0"
+	fpmVersion = "1.13.1"
 
 	// Docker images. See https://github.com/elastic/golang-crossbuild.
 	beatsFPMImage = "docker.elastic.co/beats-dev/fpm"
diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go
index 72538e61629..249bd0bb6db 100644
--- a/dev-tools/packaging/package_test.go
+++ b/dev-tools/packaging/package_test.go
@@ -109,7 +109,7 @@ func TestDocker(t *testing.T) {
 // Sub-tests
 
 func checkRPM(t *testing.T, file string) {
-	p, err := readRPM(file)
+	p, rpmPkg, err := readRPM(file)
 	if err != nil {
 		t.Error(err)
 		return
@@ -127,6 +127,7 @@ func checkRPM(t *testing.T, file string) {
 	checkLicensesPresent(t, "/usr/share", p)
 	checkSystemdUnitPermissions(t, p)
 	ensureNoBuildIDLinks(t, p)
+	checkRPMDigestTypeSHA256(t, rpmPkg)
 }
 
 func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
@@ -478,6 +479,16 @@ func ensureNoBuildIDLinks(t *testing.T, p *packageFile) {
 	})
 }
 
+// checkRPMDigestTypeSHA256 verifies that the RPM contains sha256 digests.
+// https://github.com/elastic/beats/issues/23670
+func checkRPMDigestTypeSHA256(t *testing.T, rpmPkg *rpm.PackageFile) {
+	t.Run("rpm_digest_type_is_sha256", func(t *testing.T) {
+		if rpmPkg.ChecksumType() != "sha256" {
+			t.Errorf("expected SHA256 digest type but got %v", rpmPkg.ChecksumType())
+		}
+	})
+}
+
 // Helpers
 
 type packageFile struct {
@@ -507,10 +518,10 @@ func getFiles(t *testing.T, pattern *regexp.Regexp) []string {
 	return files
 }
 
-func readRPM(rpmFile string) (*packageFile, error) {
+func readRPM(rpmFile string) (*packageFile, *rpm.PackageFile, error) {
 	p, err := rpm.OpenPackageFile(rpmFile)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	contents := p.Files()
@@ -529,7 +540,7 @@ func readRPM(rpmFile string) (*packageFile, error) {
 		pf.Contents[file.Name()] = pe
 	}
 
-	return pf, nil
+	return pf, p, nil
 }
 
 // readDeb reads the data.tar.gz file from the .deb.
diff --git a/x-pack/libbeat/management/manager.go b/x-pack/libbeat/management/manager.go
index 36a4f8c0245..ed476cffaf8 100644
--- a/x-pack/libbeat/management/manager.go
+++ b/x-pack/libbeat/management/manager.go
@@ -39,7 +39,8 @@ type Manager struct {
 	msg       string
 	payload   map[string]interface{}
 
-	stopFunc func()
+	stopFunc  func()
+	isRunning bool
 }
 
 // NewFleetManager returns a X-Pack Beats Fleet Management manager.
@@ -97,10 +98,14 @@ func (cm *Manager) Start(stopFunc func()) {
 		return
 	}
 
+	cm.lock.Lock()
+	defer cm.lock.Unlock()
+
 	cfgwarn.Beta("Fleet management is enabled")
 	cm.logger.Info("Starting fleet management service")
 
 	cm.stopFunc = stopFunc
+	cm.isRunning = true
 	err := cm.client.Start(context.Background())
 	if err != nil {
 		cm.logger.Errorf("failed to start elastic-agent-client: %s", err)
@@ -109,11 +114,15 @@ func (cm *Manager) Start(stopFunc func()) {
 
 // Stop the config manager
 func (cm *Manager) Stop() {
+	cm.lock.Lock()
+	defer cm.lock.Unlock()
+
 	if !cm.Enabled() {
 		return
 	}
 
 	cm.logger.Info("Stopping fleet management service")
+	cm.isRunning = false
 	cm.client.Stop()
 }
 
@@ -197,6 +206,15 @@ func (cm *Manager) OnStop() {
 }
 
 func (cm *Manager) OnError(err error) {
+	isStopped := false
+	cm.lock.Lock()
+	isStopped = !cm.isRunning
+	cm.lock.Unlock()
+
+	if isStopped && errors.Is(err, context.Canceled) {
+		// don't report context cancelled on shutdown
+		return
+	}
 	cm.logger.Errorf("elastic-agent-client got error: %s", err)
 }